CVE-2026-5534 — SQL Injection in itsourcecode Online Enrollment System 1.0

Executive Summary

CVE-2026-5534 is a SQL injection vulnerability affecting itsourcecode Online Enrollment System 1.0. The flaw resides in the parameter handler for the USERID argument in /sms/user/index.php?view=edit&id=10. An unauthenticated remote attacker can craft a malicious request to manipulate backend SQL queries, potentially exfiltrating sensitive student and administrative records.

CVSS Score: 7.3 (High)

Vulnerability Overview

Root Cause

The application fails to sanitize or parameterize the USERID input before incorporating it into a SQL query. An attacker can append crafted SQL syntax to the USERID value and alter the logic of the resulting query, enabling data extraction, modification, or deletion depending on the database permissions of the web application's database user.

Affected Software

Note: itsourcecode is a free, open-source PHP educational project widely used by students, academic institutions, and small schools in developing regions. Vulnerable deployments may be publicly accessible without authentication controls.

Attack Scenario

A remote attacker with network access to the application can:

1. Navigate to /sms/user/index.php?view=edit&id=10
2. Supply a crafted value for the USERID parameter (e.g., 10 OR 1=1--)
3. The backend SQL query is modified without sanitization
4. The attacker receives database output — potentially including usernames, passwords, enrollment records, and personal information

Example Payload (Illustrative)

/sms/user/index.php?view=edit&id=10&USERID=1'+OR+'1'='1

This type of classic injection payload forces the WHERE clause to evaluate as always true, potentially returning all user records.

Impact Assessment

Remediation

Immediate Actions

Since no official patch exists from itsourcecode at time of publication, administrators running this software should:

1. Take the application offline if it is publicly internet-accessible
2. Implement a web application firewall (WAF) to block SQL injection patterns as a temporary mitigation
3. Restrict access to the application to internal networks only via firewall rules
4. Audit logs for signs of prior exploitation — look for unusual GET/POST requests to /sms/user/index.php

Developer Fix

The vulnerability should be remediated by the application developer using prepared statements (parameterized queries):

// Vulnerable (DO NOT USE)
$query = "SELECT * FROM users WHERE userid = " . $_GET['USERID'];
 
// Secure — parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE userid = ?");
$stmt->execute([$_GET['USERID']]);

Additionally, all user-supplied input should be validated against expected types (e.g., integers for ID fields) before being processed.

Context: itsourcecode Applications

itsourcecode publishes numerous free PHP web application projects primarily targeting students learning web development. These projects are frequently deployed to live servers — sometimes with default or no credentials — making them common targets for automated vulnerability scanning and exploitation campaigns. If your organization is running any itsourcecode application, a security audit of input handling across all parameters is strongly recommended.

Key Takeaways

1. CVSS 7.3 (High) — Remotely exploitable with no authentication required
2. No official patch available — mitigate by restricting access and deploying WAF rules
3. PII at risk — Student enrollment systems contain sensitive personal and academic records
4. Parameterize all queries — The fix is straightforward but requires developer action on each affected input

References

• NVD — CVE-2026-5534
• OWASP — SQL Injection Prevention Cheat Sheet
• CWE-89 — Improper Neutralization of Special Elements used in an SQL Command