CVE-2026-2089 identifies an SQL injection vulnerability in SourceCodester Online Class Record System version 1.0, located in the /admin/subject/controller.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which attackers can manipulate remotely without authentication or user interaction. This allows the injection of malicious SQL queries, potentially enabling attackers to read, modify, or delete database records, or execute administrative database commands. The vulnerability affects the confidentiality, integrity, and availability of the system's data, though the impact is considered limited (VC:L, VI:L, VA:L) according to the CVSS vector. The exploit is publicly available, increasing the likelihood of exploitation, though no active exploitation has been reported yet. The vulnerability is rated medium severity with a CVSS 4.0 score of 6.9, reflecting a balance between ease of exploitation (no privileges or user interaction required) and limited scope of impact. The affected product is primarily used in educational environments for managing class records, making sensitive student and academic data potentially exposed. No official patches have been linked, so mitigation may require code review, input validation, or applying custom fixes until vendor patches are released.

The SQL injection vulnerability can lead to unauthorized access to sensitive academic and administrative data stored in the Online Class Record System database. Attackers could extract confidential student records, alter grades or attendance data, or disrupt system availability by executing malicious SQL commands. This compromises data integrity and confidentiality, potentially damaging institutional reputation and violating data protection regulations. Since the vulnerability requires no authentication, any remote attacker can exploit it, increasing the attack surface. The availability impact is limited but could include denial of service through crafted queries. Organizations relying on this system risk data breaches and operational disruptions, especially if the system is internet-facing or insufficiently protected by network controls. The presence of a public exploit further elevates the threat, as less skilled attackers can leverage it. The impact is particularly significant for educational institutions with large volumes of sensitive personal data and regulatory compliance obligations.

Organizations should immediately audit their use of SourceCodester Online Class Record System version 1.0 and restrict access to the /admin/subject/controller.php endpoint through network segmentation and firewall rules to trusted IPs only. Input validation and parameterized queries should be implemented or enforced in the affected code to prevent SQL injection. If source code access is available, developers should sanitize and validate the 'ID' parameter rigorously, using prepared statements or stored procedures. Monitoring database logs for unusual queries and setting up web application firewalls (WAF) with SQL injection detection rules can provide additional protection. Until an official patch is released, consider isolating the system from public networks or deploying reverse proxies with filtering capabilities. Regular backups of the database should be maintained to enable recovery from potential data corruption. Finally, organizations should stay updated on vendor advisories for patches or official fixes and apply them promptly once available.