CVE-2026-2190
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical vulnerability in itsourcecode School Management System 1.0 allows attackers to inject malicious SQL commands through the user ID parameter. This flaw is remotely exploitable and a public exploit exists, making attacks easy.
Who is affected
All deployments of itsourcecode School Management System version 1.0 are affected. An attacker could steal, modify, or delete sensitive school data stored in the database.
Recommended fix
Immediately upgrade to a patched version if available from the vendor. If no patch exists, apply strict input validation and parameterized queries to the `/ramonsys/user/controller.php` file.
Technical Description
A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74