CVE-2026-5334 is a SQL Injection vulnerability identified in the itsourcecode Online Enrollment System version 1.0. The vulnerability resides in the handling of the 'deptid' parameter within the /enrollment/index.php file, specifically in a function related to parameter processing. An attacker can remotely manipulate this parameter to inject malicious SQL code, which the system then executes on the backend database. This can lead to unauthorized access, modification, or deletion of sensitive enrollment data. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploits have been reported in the wild, the availability of exploit code publicly increases the risk of attacks. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet. The root cause is improper input sanitization and lack of parameterized queries in the affected component, allowing direct injection of SQL commands. This type of vulnerability is critical in web applications managing sensitive data such as student enrollment records, as it can lead to data leakage, unauthorized data manipulation, or denial of service through database corruption or crashes.

The SQL Injection vulnerability in the itsourcecode Online Enrollment System can have significant impacts on organizations using this software, particularly educational institutions managing student enrollment data. Exploitation can lead to unauthorized disclosure of sensitive personal information, including student identities, enrollment details, and academic records, compromising confidentiality. Attackers may also alter or delete enrollment data, impacting data integrity and potentially disrupting academic operations and reporting. Availability may be affected if attackers execute commands that cause database crashes or lockouts, leading to denial of service. Since the vulnerability is remotely exploitable without authentication or user interaction, the attack surface is broad, increasing the likelihood of compromise. The public availability of exploit code further raises the risk of automated or opportunistic attacks. Organizations may face regulatory compliance issues, reputational damage, and operational disruptions if the vulnerability is exploited. The impact is somewhat limited by the scope of the affected product and version, but for those environments, the consequences can be severe.

To mitigate CVE-2026-5334, organizations should immediately assess whether they are running itsourcecode Online Enrollment System version 1.0 and prioritize remediation. Since no official patches are currently linked, temporary mitigations include implementing strict input validation and sanitization on the 'deptid' parameter to reject malicious input patterns. Refactoring the code to use parameterized queries or prepared statements is essential to prevent SQL injection. Restrict database user permissions to the minimum necessary, limiting the potential damage from successful injection. Employ web application firewalls (WAFs) with SQL injection detection and prevention rules to block exploit attempts at the network perimeter. Monitor logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint. Educate developers and administrators on secure coding practices to avoid similar vulnerabilities. Plan for an upgrade or patch deployment once the vendor releases an official fix. Additionally, conduct regular security assessments and penetration testing to identify and remediate injection flaws proactively.