CVE-2026-1701 identifies a SQL injection vulnerability in the itsourcecode Student Management System version 1.0, specifically within the /enrollment/index.php script. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is used in SQL queries without adequate protection. This allows an unauthenticated remote attacker to inject malicious SQL code, potentially enabling unauthorized reading, modification, or deletion of database records. The vulnerability does not require user interaction or authentication, increasing its exploitability. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges required, but with limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The affected product is primarily used in educational environments to manage student enrollment and records, making the confidentiality and integrity of sensitive student data a concern. The lack of available patches or updates at the time of disclosure necessitates immediate mitigation through secure coding practices and access controls.

For European organizations, particularly educational institutions using the itsourcecode Student Management System 1.0, this vulnerability poses a risk of unauthorized access to sensitive student data, including personal information and enrollment records. Exploitation could lead to data breaches, loss of data integrity, and potential disruption of enrollment services. This could result in regulatory non-compliance under GDPR due to exposure of personally identifiable information (PII). The attack could also undermine trust in the affected institutions and cause operational downtime. Although the impact is somewhat limited by the scope of the vulnerability, the ease of remote exploitation without authentication elevates the risk profile. Organizations relying on this system for critical student management functions may face reputational damage and legal consequences if exploited.

Organizations should immediately implement input validation and sanitization on the 'ID' parameter within the /enrollment/index.php file to prevent SQL injection. Employing parameterized queries or prepared statements is essential to eliminate direct injection risks. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block SQL injection attempts targeting this endpoint. Restricting external access to the enrollment module through VPNs or IP whitelisting can reduce exposure. Monitoring logs for suspicious database query patterns or unexpected errors can help detect exploitation attempts early. Since no official patches are currently available, organizations should engage with the vendor for updates and consider upgrading to newer, secure versions once released. Conducting security audits and penetration testing focused on injection vulnerabilities will help identify residual risks. Additionally, ensure that database accounts used by the application have the least privileges necessary to limit potential damage.