CVE-2026-9574

Vulnerability

An SQL injection vulnerability exists in itsourcecode Student Transcript Processing System version 1.0. The flaw resides in the /admin/modules/student/trans.php script, where the studentId and cid GET parameters are concatenated directly into SQL queries without proper sanitization or validation. No authentication is required to reach the vulnerable code path [1], [2].

Exploitation

An unauthenticated remote attacker can exploit this by sending a crafted HTTP GET request to /admin/modules/student/trans.php with malicious SQL payloads in the studentId or cid parameters. The published proof of concept demonstrates time-based blind SQL injection using MySQL SLEEP function. No user interaction or special network position is required [2].

Impact

Successful exploitation allows an attacker to perform unauthorized database operations, including reading, modifying, or deleting sensitive data, gaining full database access, and potentially achieving comprehensive system control. This can lead to data leakage, data tampering, and service disruption, posing a serious risk to system security and business continuity [2].

Mitigation

The vendor has not released a patched version as of the publication date. The affected version 1.0 is available for download from the vendor's site [1]. Users should apply input validation and prepared statements to the vulnerable file, or restrict access to the endpoint until a formal fix is issued. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1], [2].