CVE-2026-2089 identifies a SQL injection vulnerability in the SourceCodester Online Class Record System version 1.0, located in the /admin/subject/controller.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is directly used in SQL queries. An attacker can remotely exploit this flaw by manipulating the 'ID' argument in HTTP requests to execute arbitrary SQL commands on the backend database. This can lead to unauthorized data disclosure, data modification, or even complete compromise of the database server. The vulnerability requires no authentication or user interaction, making it highly accessible to remote attackers. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation has been reported, the public availability of exploit code increases the risk of attacks. The affected product is primarily used in educational environments to manage class records, making sensitive student and academic data vulnerable. The lack of official patches or vendor advisories necessitates immediate action by users to implement mitigations. This vulnerability exemplifies common risks in web applications that fail to properly sanitize user inputs, emphasizing the need for secure coding practices such as using parameterized queries and rigorous input validation.

For European organizations, particularly educational institutions using the SourceCodester Online Class Record System, this vulnerability poses significant risks. Exploitation can lead to unauthorized access to sensitive student records, grades, and administrative data, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, allowing attackers to alter academic records or disrupt administrative functions. Availability impacts may include denial of service if the database is manipulated or corrupted. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments with exposed administrative interfaces. The reputational damage and legal consequences of data breaches in the education sector could be severe. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within institutional IT infrastructures. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional factors, but the risk remains substantial given the sensitive nature of the data involved.

Organizations should immediately audit their use of the SourceCodester Online Class Record System version 1.0 and restrict access to the /admin/subject/controller.php endpoint to trusted administrators only, ideally via VPN or IP whitelisting. Implement web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the 'ID' parameter. Developers should refactor the vulnerable code to use parameterized queries or prepared statements instead of directly embedding user input into SQL commands. Input validation should be enforced to accept only expected data types and formats for the 'ID' parameter. Regularly monitor logs for suspicious activities related to SQL injection attempts. If possible, isolate the database server from direct internet exposure and enforce least privilege principles on database accounts. Since no official patches are currently available, consider migrating to alternative, actively maintained class record systems with better security postures. Finally, conduct security awareness training for administrators to recognize and respond to potential exploitation attempts.