CVE-2026-2087 identifies a SQL injection vulnerability in SourceCodester Online Class Record System version 1.0, specifically within the /admin/login.php endpoint. The vulnerability arises from improper sanitization of the user_email parameter, allowing attackers to inject malicious SQL code. This flaw enables remote, unauthenticated attackers to manipulate backend database queries, potentially extracting sensitive information, bypassing authentication, or altering data integrity. The vulnerability is exploitable over the network without any user interaction or privileges, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and potential impact on confidentiality, integrity, and availability, albeit with limited scope and no privilege escalation. No official patches or fixes have been published yet, and while no active exploitation has been reported, the availability of exploit code raises the likelihood of future attacks. The vulnerability affects only version 1.0 of the product, which is used primarily in educational environments to manage class records and administrative functions. Given the critical nature of educational data, exploitation could lead to unauthorized disclosure of student and staff information, disruption of administrative operations, and potential compliance violations under data protection regulations.

For European organizations, particularly educational institutions using SourceCodester Online Class Record System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive academic and personal data. Exploitation could lead to unauthorized access to student records, grades, and administrative credentials, potentially resulting in data breaches and reputational damage. The disruption of class record management systems could impair operational continuity, affecting teaching and administrative workflows. Additionally, compromised systems may be leveraged for further attacks within the network. Given the strict data protection regulations in Europe, such as GDPR, affected organizations could face legal and financial penalties if breaches occur. The medium severity rating indicates a moderate but actionable threat, especially since no authentication or user interaction is required for exploitation. Organizations relying on this system should consider the potential impact on compliance, data privacy, and operational resilience.

Immediate mitigation steps include implementing robust input validation and sanitization for the user_email parameter to prevent SQL injection. Employing parameterized queries or prepared statements in the /admin/login.php code is critical to eliminate injection vectors. Since no official patches are currently available, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. Restricting network access to the administration interface to trusted IP addresses can reduce exposure. Conduct thorough code reviews and security testing of the application to identify and remediate similar vulnerabilities. Regularly monitor logs for suspicious activities related to login attempts and database queries. Organizations should also plan for timely updates once official patches are released by the vendor. Finally, educating administrators about the risks and signs of exploitation can improve incident response readiness.