CVE-2026-4632
Published: 24 March 2026
Summary
CVE-2026-4632 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4632 is a SQL injection vulnerability in the itsourcecode Online Enrollment System 1.0. It affects unknown code in the file /sms/user/index.php?view=add within the Parameter Handler component, where manipulation of the "Name" argument enables the injection. The issue, associated with CWE-74 and CWE-89, carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-24.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through SQL queries. A public exploit is available, increasing the risk of real-world attacks.
Advisories from VulDB (ctiid.352499, id.352499, submit.775856) and a GitHub issue (chuxina7-aiguo/CVE1/issues/1) document the vulnerability details and confirm the public exploit availability. The vendor site (itsourcecode.com) is referenced, but no specific patches or mitigations are detailed in the provided sources.
Notable context includes the public disclosure of an exploit on GitHub, facilitating potential widespread attacks against exposed instances of the system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14738
Vulnerability details
A weakness has been identified in itsourcecode Online Enrollment System 1.0. This vulnerability affects unknown code of the file /sms/user/index.php?view=add of the component Parameter Handler. Executing a manipulation of the argument Name can lead to sql injection. The attack may…
more
be performed from remote. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (PHP parameter in /sms/user/index.php) directly enables unauthenticated exploitation of a public-facing service for data access/modification, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the manipulable 'Name' argument in the Parameter Handler to block SQL injection attacks.
Mandates identification, reporting, and correction of the specific SQL injection flaw in /sms/user/index.php?view=add.
Provides vulnerability scanning to identify the SQL injection vulnerability in the Online Enrollment System prior to exploitation.