Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36235 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-36235 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A SQL injection vulnerability exists in the scheduleSubList.php component of Itsourcecode Online Student Enrollment System v1.0, allowing unauthenticated or low-privileged attackers to manipulate backend database queries through the subjcode parameter.

Technical Detail

The flaw arises because the subjcode parameter in scheduleSubList.php is passed directly into a SQL query without sanitization or parameterization, enabling an attacker to inject arbitrary SQL statements. A remote attacker can craft a malicious HTTP request targeting this parameter to extract sensitive data from the database, modify records, or potentially execute operating system commands depending on the database configuration and privilege level. The CVSS score of 9.8 reflects the high likelihood of unauthenticated remote exploitation with significant impact on confidentiality, integrity, and availability.

Exploitation Status

No known exploit code has been publicly documented at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed. However, SQL injection vulnerabilities of this class are well understood and trivial to exploit once a target is identified, reducing the practical barrier for opportunistic attackers.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given the nature of the affected product, educational institutions using this enrollment system represent the most plausible exposure surface, but no confirmed targeting has been observed.

What To Do

Organizations running Itsourcecode Online Student Enrollment System v1.0 should treat this as a high-priority remediation given the critical CVSS score and the ease of exploiting SQL injection flaws. If a vendor patch is not yet available, the immediate workaround is to restrict public access to scheduleSubList.php via web server access controls or a web application firewall rule that blocks or sanitizes the subjcode parameter. Database accounts used by the application should be reviewed and restricted to least-privilege access to limit the blast radius of exploitation. Detection teams should monitor web server logs for anomalous SQL syntax patterns in requests targeting scheduleSubList.php. Verify with the vendor whether a patched release is available and apply it as soon as possible.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →