Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36232 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-36232 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A SQL injection vulnerability exists in the instructorClasses.php component of Itsourcecode Online Student Enrollment System v1.0, exposing the application's database layer to unauthenticated remote attack via a manipulated GET parameter.

Technical Detail

The flaw resides in the unsanitized handling of the classId parameter passed through $_GET['c'] in instructorClasses.php, where user-supplied input is incorporated directly into a SQL query without adequate validation or parameterization. An attacker can craft a malicious HTTP GET request containing SQL metacharacters to manipulate the underlying query logic, potentially enabling unauthorized data extraction, modification, or deletion from the database. Depending on the database server configuration and privilege level, exploitation could extend to reading sensitive files or executing operating system commands via database-native functions such as xp_cmdshell or INTO OUTFILE.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed. However, SQL injection vulnerabilities of this class are well understood and trivial to exploit manually or with widely available tooling such as sqlmap, which lowers the practical barrier to exploitation significantly.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given that the affected product is a small-scale open-source enrollment system, opportunistic attackers scanning for known vulnerable parameters represent the most plausible near-term threat profile.

What To Do

Organizations running Itsourcecode Online Student Enrollment System v1.0 should treat this as a high-priority remediation given the CVSS score of 9.8. Apply any vendor-issued patch immediately if available; if no patch exists, restrict public access to the affected application and place it behind authenticated access controls or a web application firewall configured to block SQL injection patterns. Developers should refactor the instructorClasses.php file to use prepared statements with parameterized queries for all database interactions involving user-supplied input. Review web server and database logs for anomalous GET requests to instructorClasses.php containing SQL metacharacters such as single quotes, comment sequences, or UNION keywords as detection signals for potential probing activity.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →