CVE-2026-4842 identifies a SQL injection vulnerability in itsourcecode Online Enrollment System version 1.0, specifically within the /sms/grades/index.php file's 'deptid' parameter. The vulnerability arises from insufficient input validation or sanitization of this parameter, allowing an attacker to inject malicious SQL queries remotely. This injection can manipulate backend database queries, potentially exposing sensitive student data, altering grades, or corrupting enrollment records. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impacts on confidentiality, integrity, and availability. Although no public patches are currently available, the vulnerability's public disclosure means attackers could develop exploits. The affected component is critical for managing student grades and enrollment data, making the impact significant for educational institutions relying on this system. The lack of scope change means the vulnerability affects only the vulnerable component but can still compromise sensitive data within that scope.

The SQL injection vulnerability can lead to unauthorized disclosure of sensitive student and enrollment data, modification or deletion of academic records, and potential disruption of enrollment services. Attackers exploiting this flaw can bypass access controls and manipulate database queries, undermining data integrity and availability. This could result in reputational damage, regulatory penalties for data breaches, and operational disruptions for educational institutions. Since the vulnerability is remotely exploitable without authentication, it poses a significant risk of automated attacks or exploitation by opportunistic threat actors. The impact extends to confidentiality, integrity, and availability, potentially affecting all data managed by the enrollment system. Organizations using this software without mitigation are at risk of data leakage, unauthorized grade changes, and denial of service conditions.

Organizations should immediately audit their use of the itsourcecode Online Enrollment System version 1.0 and restrict external access to the vulnerable /sms/grades/index.php endpoint. Implement input validation and parameterized queries or prepared statements to sanitize the 'deptid' parameter and prevent SQL injection. If source code modification is possible, refactor the vulnerable code to use secure coding practices for database interactions. Employ web application firewalls (WAFs) with SQL injection detection rules to block malicious payloads targeting this parameter. Monitor logs for suspicious activity related to the 'deptid' parameter and unusual database queries. Segregate the enrollment system database with least privilege principles to limit damage if exploited. Coordinate with the vendor for patches or updates and apply them as soon as they become available. Conduct penetration testing focused on injection flaws to verify mitigation effectiveness.