CVE-2026-9575

Vulnerability

A SQL injection vulnerability exists in itsourcecode Student Transcript Processing System 1.0 in the file /admin/modules/class/index.php?view=view. The id parameter is directly concatenated into SQL queries without proper sanitization or validation [1][2]. This issue affects version V1.0, as provided in the software link [2]. No authentication is required to reach the vulnerable endpoint.

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP GET request to the vulnerable endpoint with a malicious id parameter. Payload examples include time-based blind SQL injection using SLEEP() and UNION queries [2]. No prior authentication or user interaction is necessary. The exploit has been publicly disclosed.

Impact

Successful exploitation allows an attacker to execute unauthorized SQL queries, leading to database compromise, sensitive data leakage, data modification or deletion, and potentially full system control [2]. This poses a serious threat to system security and data integrity.

Mitigation

As of the publication date, no official patch has been released by itsourcecode. The vendor homepage provides the affected software [1]. Mitigation requires implementing proper input validation and parameterized queries. Until a fix is available, restrict network access to the vulnerable page and consider using a web application firewall (WAF).