CVE-2026-36233 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-36233 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A SQL injection vulnerability exists in the assignInstructorSubjects.php file of Itsourcecode Online Student Enrollment System v1.0, allowing unauthenticated or low-privileged attackers to manipulate backend database queries through unsanitized user input.

Technical Detail

The flaw stems from insufficient input validation in the assignInstructorSubjects.php script, where attacker-controlled parameters are passed directly into SQL queries without proper sanitization or parameterized query handling. An attacker can craft malicious HTTP requests containing SQL payloads to manipulate query logic, potentially enabling unauthorized data extraction, modification, or deletion from the underlying database. Depending on database server configuration and privilege levels, exploitation could extend to reading sensitive system files or executing operating system commands via database-native functions such as xp_cmdshell or INTO OUTFILE.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed as of April 17, 2026. However, SQL injection vulnerabilities in PHP-based web applications of this type are generally straightforward to exploit once discovered, and the risk of weaponization should not be discounted.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given the nature of the affected product, academic institutions and organizations using this enrollment system represent the most plausible exposure surface, but no confirmed targeting has been observed.

What To Do

Organizations running Itsourcecode Online Student Enrollment System v1.0 should treat this as a high-priority remediation given the critical CVSS score of 9.8. Apply any vendor-issued patch or updated version immediately if available. If no patch exists, restrict public access to the affected assignInstructorSubjects.php endpoint via web server access controls or a web application firewall with SQL injection rule sets enabled. Implement parameterized queries or prepared statements in the application code as a permanent fix. Review database user privileges and apply the principle of least privilege to limit the blast radius of any successful exploitation. Monitor web server and database logs for anomalous query patterns or unexpected data access indicative of SQL injection attempts.