CVE-2026-5537

Vulnerability

Overview

CVE-2026-5537 is a SQL injection vulnerability in the halex CourseSEL online course selection system, affecting version 1.1.0 and all earlier releases. The flaw resides in the check_sel method of Apps/Index/Controller/IndexController.class.php. The application, built on ThinkPHP 3.2, directly concatenates the user-supplied the user-supplied HTTP GET parameter seid into a SQL query via the framework's where() method without any parameterization or input sanitization [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP GET request to the vulnerable endpoint (/index.php/Index/Index/check_sel) while holding a valid student session. The endpoint only verifies basic session status and lacks strict vertical privilege controls, meaning any authenticated user—even a standard student—can trigger the injection. The public proof-of-concept demonstrates an error-based SQL injection technique [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive database schemas, dump administrative credentials from the cs_user table, and potentially gain full control over the application. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and carries a CVSS v3 score of 6.3 (Medium) [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. Users of CourseSEL should consider upgrading to a patched version if one becomes available, or implement input validation and parameterized queries and use parameterized statements to mitigate the risk. The exploit has been publicly disclosed, increasing the urgency for defensive measures [1].