CVE-2026-3149 identifies a SQL injection vulnerability in the itsourcecode College Management System version 1.0, specifically within the /admin/asign-single-student-subjects.php script. The vulnerability arises from insufficient input validation of the 'course_code' parameter, which is directly incorporated into SQL queries without proper sanitization or use of parameterized statements. This flaw allows remote attackers to manipulate SQL commands by injecting crafted input, potentially enabling unauthorized data access, modification, or deletion within the backend database. The attack vector is network accessible without requiring user authentication or interaction, making it relatively easy to exploit. However, the impact is somewhat limited as the vulnerability affects only a specific function and the overall scope of data exposure or control is partial. The CVSS 4.0 score of 5.3 reflects these factors, indicating a medium severity level. No patches have been officially released yet, and no active exploitation has been reported, but public exploit code availability increases the risk. The vulnerability primarily threatens educational institutions using this CMS version, potentially exposing sensitive student and academic data.

The exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive academic and student information stored in the database, including grades, enrollment details, and personal data. Attackers could modify or delete records, impacting data integrity and potentially disrupting academic operations. Confidentiality breaches could result in privacy violations and regulatory non-compliance, especially under data protection laws like GDPR or FERPA. Availability could be affected if attackers execute destructive queries or cause database errors, leading to denial of service for legitimate users. Although the vulnerability requires no authentication and is remotely exploitable, the limited scope of the affected functionality and the medium CVSS score suggest the impact is significant but not critical. Organizations worldwide using this CMS without proper mitigation are at risk of data compromise and operational disruption.

Organizations should immediately audit their use of the itsourcecode College Management System version 1.0 and restrict access to the /admin/asign-single-student-subjects.php endpoint. Since no official patches are currently available, administrators must implement strict input validation on the 'course_code' parameter, ensuring only expected values are accepted. Employing parameterized queries or prepared statements in the backend code is essential to prevent SQL injection. Web application firewalls (WAFs) can be configured to detect and block suspicious SQL injection attempts targeting this parameter. Regular database backups and monitoring for unusual query patterns can help mitigate damage if exploitation occurs. Additionally, organizations should plan to upgrade to patched versions once released and conduct security training for developers to avoid similar vulnerabilities. Restricting administrative interface access to trusted IPs and enforcing strong authentication can further reduce risk.