CVE-2026-9573

Vulnerability

A SQL injection vulnerability exists in itsourcecode Student Transcript Processing System version 1.0 in the /admin/modules/student/index.php?view=view endpoint [2]. The flaw occurs because the studentId GET parameter is directly concatenated into SQL queries without proper sanitization or parameterized queries, as described in the root cause analysis [2]. The vulnerable file is accessible without authentication [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted HTTP GET request to the vulnerable endpoint with a malicious studentId parameter [2]. The public exploit demonstrates the use of time-based blind SQL injection (e.g., 1 AND (SELECT 1860 FROM (SELECT(SLEEP(5)))juHI)) as well as UNION-based injection [2]. No special network position or user interaction is required; the attacker simply submits the malicious request over HTTP [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying MySQL database [2]. This can lead to unauthorized access to sensitive data (including student records), data tampering, and potentially full control of the database server, posing a serious threat to system security and business continuity [2]. The CIA impact is high, as confidentiality, integrity, and availability of data can be compromised.

Mitigation

As of the publication date, the vendor (itsourcecode.com) has not released a patched version. The affected version is V1.0, and the source code archive is available from the vendor's website [1][2]. Mitigation requires applying input validation and parameterized queries to the studentId parameter. Until a fix is available, administrators should consider restricting network access to the vulnerable endpoint or implementing a web application firewall (WAF) rule to block SQL injection patterns.