CVE-2026-4632 identifies a SQL injection vulnerability in the itsourcecode Online Enrollment System version 1.0, specifically within the /sms/user/index.php?view=add endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' parameter in the Parameter Handler component, allowing an attacker to inject malicious SQL statements. This injection can be performed remotely without requiring authentication or user interaction, increasing the attack surface. The flaw enables attackers to manipulate backend database queries, potentially extracting sensitive student or enrollment data, modifying records, or disrupting database integrity. The vulnerability does not require special privileges and can be exploited over the network, making it accessible to a wide range of attackers. Although the exploit has been publicly disclosed, there is no evidence of widespread exploitation in the wild. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. The absence of patches or official vendor fixes increases the urgency for organizations to implement compensating controls. This vulnerability highlights the critical need for secure coding practices and input validation in web applications handling sensitive data.

The SQL injection vulnerability in the itsourcecode Online Enrollment System can lead to unauthorized disclosure of sensitive enrollment and student information, compromising confidentiality. Attackers may also alter or delete records, impacting data integrity and potentially disrupting enrollment operations, affecting availability. Since the vulnerability can be exploited remotely without authentication, it poses a significant risk of data breaches and operational disruption. Educational institutions relying on this system could face reputational damage, regulatory penalties, and loss of trust from students and stakeholders. The scope is limited to organizations using version 1.0 of this specific software, but the impact on affected entities can be substantial. The public availability of exploit code increases the likelihood of opportunistic attacks, especially from less skilled threat actors. Without mitigation, attackers could leverage this vulnerability to gain deeper access into the network or pivot to other systems, escalating the overall risk posture.

Organizations should immediately assess their use of itsourcecode Online Enrollment System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation and parameterized queries or prepared statements to prevent SQL injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the vulnerable endpoint. Conduct regular security audits and code reviews focusing on input handling in the Parameter Handler component. Restrict database permissions for the application to the minimum necessary to limit the impact of a successful injection. Monitor logs for unusual database query patterns or repeated access attempts to /sms/user/index.php?view=add. Educate development teams on secure coding practices to prevent similar vulnerabilities. Finally, consider network segmentation and access controls to limit exposure of the enrollment system to untrusted networks.