Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36236 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-36236 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-36236 is a SQL injection vulnerability in Janobe's Engineers Online Portal v1.0, specifically within the update_password.php script's new_password parameter.

Technical Detail

The flaw exists because user-supplied input passed through the new_password parameter in update_password.php is not properly sanitized or parameterized before being incorporated into a SQL query. An attacker can craft a malicious string to manipulate the underlying database query, potentially enabling unauthorized data access, data manipulation, authentication bypass, or full database compromise depending on the database user's privilege level. In worst-case configurations where the database account has elevated permissions, this could extend to operating system-level command execution via database-native functions such as xp_cmdshell or INTO OUTFILE.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed as of April 17, 2026. This status should be monitored, as SQL injection vulnerabilities in open-source portal applications are frequently targeted once details become public.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given the nature of the affected product, opportunistic actors scanning for vulnerable web applications represent the most plausible near-term threat profile.

What To Do

Organizations running Janobe Engineers Online Portal v1.0 should treat this as a high-priority remediation given the critical CVSS score of 9.8. If a vendor patch is not yet available, the immediate workaround is to restrict public access to update_password.php via web server access controls or a web application firewall rule that blocks SQL metacharacter sequences in the new_password parameter. Implement parameterized queries or prepared statements in the application code to address the root cause. Database accounts used by the application should be reviewed and restricted to least-privilege permissions to limit the blast radius of any successful exploitation. Monitor web server logs for anomalous input patterns targeting this endpoint.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →