CVE-2026-36235
Published: 10 April 2026
Summary
CVE-2026-36235 is a critical-severity SQL Injection (CWE-89) vulnerability in Itsourcecode Online Student Enrollment System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-36235 is a SQL injection vulnerability (CWE-89) in the scheduleSubList.php file of the itsourcecode Online Student Enrollment System version 1.0. The issue stems from the 'subjcode' parameter being directly embedded into an SQL query through string interpolation, without any sanitization or validation, enabling attackers to inject and execute arbitrary SQL code.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing data exfiltration, database manipulation, or service disruption.
A technical analysis of the vulnerability, including proof-of-concept details, is documented in the reference at https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_scheduleSubList.php_sql_injection.pdf, published on 2026-04-10.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21374
Vulnerability details
A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization…
more
or validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (Online Student Enrollment System) directly enables exploitation of a public-facing application via unauthenticated network access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'subjcode' parameter before embedding it into SQL queries, comprehensively preventing SQL injection exploitation.
Enforces restrictions on information inputs like 'subjcode' to only allow valid formats, blocking malicious SQL injection payloads.
Mandates timely identification, reporting, and correction of the specific SQL injection flaw in scheduleSubList.php to eliminate the vulnerability.