CVE-2026-5334
Published: 02 April 2026
Summary
CVE-2026-5334 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode Online Enrollment System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5334 is a SQL injection vulnerability (CWE-74, CWE-89) affecting itsourcecode Online Enrollment System 1.0. The flaw resides in an unknown function within the Parameter Handler component, specifically in the file /enrollment/index.php?view=edit&id=3, where manipulation of the 'deptid' argument enables injection. Published on 2026-04-02, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low exploitation barriers.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts: low-level confidentiality breaches (e.g., unauthorized data disclosure), integrity modifications (e.g., data tampering), and availability disruptions (e.g., denial of service).
Advisories referenced in VulDB entries (e.g., vuln/354668) and a GitHub issue in yuji0903/silver-guide document the issue and note that a public exploit is available, increasing the risk of attacks; security practitioners should review these sources, including the vendor site at itsourcecode.com, for any patch or mitigation recommendations.
The public availability of the exploit underscores the need for immediate scanning and patching of exposed instances, as it could facilitate real-world attacks on unmaintained deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18338
Vulnerability details
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=edit&id=3 of the component Parameter Handler. This manipulation of the argument deptid causes sql injection. The attack is possible to be…
more
carried out remotely. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible web application (Online Enrollment System) with no auth required directly enables remote exploitation of the public-facing app.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the 'deptid' parameter to prevent SQL injection attacks in the Parameter Handler.
Mandates timely identification, reporting, and remediation of the specific SQL injection flaw in /enrollment/index.php?view=edit&id=3.
Enables regular vulnerability scanning to detect and initiate remediation for SQL injection vulnerabilities such as CVE-2026-5334.