Cyber Resilience

CVE-2026-36233

CriticalPublic PoC

Published: 10 April 2026

Published
10 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-36233 is a critical-severity SQL Injection (CWE-89) vulnerability in Itsourcecode Online Student Enrollment System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-36233 is a SQL injection vulnerability (CWE-89) affecting the assignInstructorSubjects.php file in the itsourcecode Online Student Enrollment System version 1.0. The issue arises because the "subjcode" parameter accepts attacker-controlled input that is directly incorporated into SQL queries without sanitization or validation, enabling arbitrary SQL code execution. Published on 2026-04-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing attackers to potentially extract sensitive student or enrollment data, alter database records, execute administrative operations, or cause denial of service.

Advisories reference a detailed proof-of-concept analysis in a PDF document at https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_assignInstructorSubjects.php_sql_injection.pdf, though specific patch instructions or vendor mitigations are not detailed in the CVE publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries…

more

without the need for appropriate cleaning or validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web app (assignInstructorSubjects.php) directly enables remote unauthenticated exploitation of the application for initial access and arbitrary SQL execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-36234Same product: Itsourcecode Online Student Enrollment System
CVE-2026-36232Same product: Itsourcecode Online Student Enrollment System
CVE-2026-36235Same product: Itsourcecode Online Student Enrollment System
CVE-2026-1176Same vendor: Itsourcecode
CVE-2026-2012Same vendor: Itsourcecode
CVE-2026-2014Same vendor: Itsourcecode
CVE-2026-3730Same vendor: Itsourcecode
CVE-2026-2190Same vendor: Itsourcecode
CVE-2026-2013Same vendor: Itsourcecode
CVE-2026-2073Same vendor: Itsourcecode

Affected Assets

itsourcecode
online student enrollment system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the 'subjcode' parameter before incorporation into SQL queries.

prevent

SI-9 mitigates SQL injection by restricting the 'subjcode' parameter to only authorized values, types, or formats, blocking malicious payloads.

prevent

SI-2 addresses this specific SQL injection flaw through timely remediation, such as patching the assignInstructorSubjects.php file or applying vendor fixes.

References