CVE-2026-36232
Published: 10 April 2026
Summary
CVE-2026-36232 is a critical-severity SQL Injection (CWE-89) vulnerability in Itsourcecode Online Student Enrollment System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-36232 is a SQL injection vulnerability (CWE-89) affecting the instructorClasses.php file in the itsourcecode Online Student Enrollment System version 1.0. The issue stems from the 'classId' parameter, sourced directly from $_GET['classId'], being concatenated into an SQL query without any sanitization or validation. Published on 2026-04-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote impact.
Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation enables high-impact outcomes on confidentiality, integrity, and availability, allowing arbitrary SQL command execution to extract sensitive data, alter database contents, or disrupt system operations.
A technical report detailing the vulnerability is available at https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_instructorClasses.php_sql_injection.pdf.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21390
Vulnerability details
A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or…
more
validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web application directly enables remote unauthenticated exploitation via T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of inputs like the 'classId' parameter from $_GET to prevent unsafe concatenation into SQL queries.
Ensures timely remediation of the SQL injection flaw in instructorClasses.php through identification, reporting, and correction processes.
Facilitates detection of SQL injection vulnerabilities like CVE-2026-36232 via regular automated vulnerability scanning of the web application.