CVE-2026-3413 identifies a SQL Injection vulnerability in the itsourcecode University Management System version 1.0. The vulnerability resides in the /admin_single_student.php file, where the ID parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This flaw can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. The injection can lead to unauthorized data access, modification, or deletion within the backend database, potentially exposing sensitive student and administrative information. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects that the attack is network-based, requires low attack complexity, no privileges, and no user interaction, but the impact on confidentiality, integrity, and availability is limited to low levels. No official patches have been released yet, and while no active exploitation has been reported, the public availability of exploit code increases the risk of future attacks. The vulnerability affects only version 1.0 of the product, which is likely deployed in academic environments managing student data.

The exploitation of this SQL Injection vulnerability can lead to unauthorized disclosure of sensitive student and administrative data, unauthorized modification or deletion of records, and potential disruption of university management operations. Confidentiality is at risk as attackers may extract personal information, grades, or financial data. Integrity can be compromised if attackers alter records, potentially affecting academic outcomes or administrative decisions. Availability impact is possible if attackers execute destructive queries or cause database errors, leading to service outages. Given the remote, unauthenticated nature of the attack, the threat is significant for any institution using the affected software version. The impact extends beyond individual institutions to potentially affect students, staff, and regulatory compliance with data protection laws.

Organizations should immediately assess their use of itsourcecode University Management System version 1.0 and isolate affected instances. Since no official patches are currently available, implement the following mitigations: 1) Apply input validation and parameterized queries or prepared statements in the /admin_single_student.php file to prevent SQL injection. 2) Employ web application firewalls (WAFs) with rules targeting SQL injection patterns, specifically filtering requests to the vulnerable endpoint. 3) Restrict network access to the administrative interface to trusted IP addresses and enforce strong authentication mechanisms. 4) Monitor logs for suspicious activity related to the ID parameter and unusual database queries. 5) Plan for an upgrade or vendor patch deployment once available. 6) Educate developers and administrators about secure coding practices to prevent similar vulnerabilities. These steps will reduce the attack surface and mitigate exploitation risk until a formal patch is released.