Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36234 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-36234 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A SQL injection vulnerability exists in Itsourcecode Online Student Enrollment System v1.0, specifically in the newCourse.php script via the coursename parameter.

Technical Detail

The application fails to properly sanitize or parameterize user-supplied input passed through the coursename parameter in newCourse.php, allowing an attacker to inject arbitrary SQL statements into the backend database query. Exploitation can be performed remotely without authentication, depending on how the enrollment form is exposed, and may result in unauthorized data extraction, modification, or deletion of database contents. In worst-case scenarios where the database server is configured with elevated privileges, the vulnerability could facilitate operating system command execution via database-native functions such as xp_cmdshell or INTO OUTFILE.

Exploitation Status

No known exploit code has been publicly documented at this time, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, though the straightforward nature of SQL injection in a web parameter means the barrier to exploitation is low for any attacker with basic skills.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability.

What To Do

Organizations running Itsourcecode Online Student Enrollment System v1.0 should treat this as a high-priority remediation given the critical CVSS score of 9.8. If a vendor patch is not yet available, the immediate workaround is to restrict public access to newCourse.php via web server access controls or a web application firewall rule that blocks SQL metacharacters in the coursename parameter. Developers should refactor the affected code to use prepared statements with parameterized queries. Database accounts used by the application should be audited and restricted to least-privilege access to limit the blast radius of any successful exploitation. Monitor web server logs for anomalous input patterns in the coursename field, including SQL keywords such as UNION, SELECT, and comment sequences.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →