CVE-2026-36950
Description
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sourcecodester Online Thesis Archiving System v1.0 has a SQL injection vulnerability in the `id` parameter of `/otas/projects_per_department.php`.
Vulnerability
Analysis
The Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the /otas/projects_per_department.php script. The id parameter in the GET request is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. The vulnerability is located at /otas/?page=projects_per_department&id= [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to the id parameter. The reference provides a proof-of-concept payload: id=-4' union select 1,database(),3,4,5,6--+ which retrieves the database name. The attack does not require authentication, as the provided payload works with a simple GET request [1].
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, such as the database name, and potentially other data depending on the database structure. The CVSS v3 score of 2.7 (Low) reflects the limited direct impact, but it could be a stepping stone for further attacks [1].
Mitigation
As of the publication date, no official patch has been released. Users should apply input validation and parameterized queries to mitigate the risk. The vendor's site is listed in the reference [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.