CVE-2026-2089
7.3 HIGHPublished 2026-02-07 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical flaw in the Online Class Record System allows attackers to inject malicious commands into its database. This happens because the system doesn't properly check user input in a specific admin page.
Who is affected
Any school or institution using version 1.0 of this system is affected. An attacker could steal, modify, or delete sensitive class and student records from the database.
Recommended fix
Immediately apply any official patch from the vendor. If none is available, consider disabling or restricting access to the /admin/subject/controller.php file as a temporary workaround.
Technical Description
A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74