CVE-2026-36952

Vulnerability

Overview

The Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php. The vulnerability exists in the id parameter, which is directly concatenated into SQL queries without proper sanitization or parameterization [1].

Exploitation

Details

An authenticated attacker with admin credentials (e.g., admin/admin123) can exploit this by sending a crafted GET request to the vulnerable endpoint. The proof-of-concept payload id=0' union select 1,2,database(),4,5,6,7--+ demonstrates the ability to extract database information, such as the database name otas_db, through a UNION-based SQL injection [1]. The attack requires no special privileges beyond standard admin access.

Impact

Successful exploitation allows an attacker to read arbitrary data from the database, including potentially sensitive information stored in the thesis archiving system. The CVSS v3 score of 2.7 (Low) reflects the requirement for authentication and the limited direct impact on confidentiality, integrity, or availability [1].\.

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should apply input validation and parameterized queries to the id parameter, or consider migrating to a supported alternative. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.