CVE-2026-36948

Vulnerability

Overview

The Sourcecodester Online Thesis Archiving System v1.0 contains a SQL injection vulnerability in the file /otas/view_archive.php. The id parameter passed via GET request is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

Details

An attacker can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint. The reference demonstrates a UNION-based SQL injection payload: /?page=view_archive&id=0%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ [1]. This payload retrieves the database name (otas_db) and other data. The attack requires network access to the application and may be performed with or without authentication, depending on whether the page is publicly accessible; the reference includes a valid session cookie but does not confirm authentication requirements [1].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, thesis records, and other application data. The attacker can also potentially enumerate tables and columns, leading to further compromise of the system [1].

Mitigation

Status

As of the publication date, no official patch has been released by the vendor. Users are advised to apply input validation and parameterized queries to the affected parameter, or restrict access to the vulnerable page until a fix is available [1].