CVE-2026-10808: SQL Injection in itsourcecode Fees Management System 1.0
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the ID parameter in the /manage_student.php file, potentially enabling unauthorized data access, modification, or deletion. The vulnerability requires valid login credentials but can be exploited remotely over the network. Public exploit code is available, elevating the risk of active attack.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /manage_student.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10808 is a SQL injection flaw (CWE-89) affecting an unknown function within /manage_student.php in itsourcecode Fees Management System 1.0. The ID parameter accepts unsanitized user input that is passed directly into SQL queries without proper parameterization or escaping. This allows an authenticated attacker to inject arbitrary SQL commands, bypassing the application's data access controls. The vulnerability chain involves improper input validation (CWE-74) before database operations. CVSS 3.1 score is 6.3 (MEDIUM severity) with a network attack vector, low attack complexity, and requirement for low privileges.
Business impact
Compromise of student records, fee data, and financial information stored within the system. An authenticated attacker could exfiltrate sensitive personally identifiable information, alter fee structures or payment records, or delete critical data, disrupting administrative operations and potentially affecting financial reconciliation and student account integrity. Educational institutions relying on this system for enrollment and billing face operational and compliance risks.
Affected systems
itsourcecode Fees Management System version 1.0 is affected. Organizations running this application in production should prioritize identification and remediation. The vulnerability requires an attacker to possess valid system credentials, limiting exposure scope to internal users, former employees with lingering access, or accounts compromised through credential compromise.
Exploitability
Exploitation is feasible and simplified by the public availability of exploit code. However, the requirement for prior authentication (low privilege level) creates a meaningful friction point: attackers must first gain valid login credentials through credential stuffing, phishing, insider threats, or account compromise. Once authenticated, the attack is trivial to execute using standard SQL injection techniques or readily available payloads. The low attack complexity indicates minimal technical sophistication is needed.
Remediation
Upgrade to a patched version of itsourcecode Fees Management System if available; verify patch availability with the vendor. If no patch exists, implement immediate compensating controls: enforce parameterized queries or prepared statements in /manage_student.php, apply strict input validation and allowlisting on the ID parameter, implement web application firewalls (WAF) with SQL injection detection rules, and enforce principle of least privilege on database user accounts associated with the application. Review access logs for suspicious query patterns.
Patch guidance
Contact itsourcecode directly to determine if a security update addressing CVE-2026-10808 is available. If a patched version exists, verify the specific version number and deployment steps through the vendor's official advisory before rolling out updates to production. Test patches in a staging environment first, particularly given the critical role of student and financial data. If no patch is available from the vendor, prioritize the compensating controls outlined in the remediation section.
Detection guidance
Monitor /manage_student.php access logs for suspicious patterns: SQL keywords in URL parameters (SELECT, UNION, OR, EXEC), unusual ID parameter values containing special characters (single quotes, semicolons, dashes), and repeated failed application errors. Enable database query logging to capture injected SQL statements. Implement WAF rules to block common SQL injection patterns. Review user access to the application, particularly privileged accounts and those with database modification permissions. Correlate application logs with database transaction logs to identify anomalous queries.
Why prioritize this
CVSS 6.3 MEDIUM severity reflects the combination of network exploitability and data confidentiality/integrity/availability impact, tempered by the authentication requirement. However, prioritization should be elevated due to the public availability of exploit code and the sensitivity of student and financial data. Organizations should patch or implement compensating controls within 30 days, with accelerated timelines for institutions with high-risk threat models (external-facing systems, history of insider threats, compliance-sensitive environments).
Risk score, explained
The CVSS 3.1 score of 6.3 reflects: network attack vector (AV:N) providing remote accessibility; low attack complexity (AC:L) indicating straightforward exploitation; low privileges required (PR:L) as the attacker must be authenticated; no user interaction needed (UI:N); and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The MEDIUM severity aligns with real-world impact—data theft and modification are possible but limited by the need for valid credentials and the selective nature of SQL injection attacks.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
Yes. CVE-2026-10808 requires authenticated access to the Fees Management System. An attacker must possess valid login credentials, making this an insider risk or post-compromise exploitation vector. Credential compromise through phishing, password reuse, or data breaches could enable external attackers to exploit this vulnerability.
Is there a public exploit for this vulnerability?
Yes. Public exploit code is available, which means attackers do not need to develop custom exploitation tools. This lowers the barrier to attack and increases the likelihood of opportunistic exploitation if valid credentials are obtained. Security teams should assume this vulnerability will be weaponized quickly.
What data is at risk if this vulnerability is exploited?
Student records, enrollment data, fee structures, payment history, and financial transaction information stored in the Fees Management System are at risk. An attacker could read, modify, or delete this data, potentially affecting student accounts, financial reporting accuracy, and institutional records.
What should I do if I cannot update the system immediately?
Implement layered compensating controls: enforce database parameterized queries, apply strict allowlisting to the ID parameter, deploy a WAF with SQL injection rules, restrict database user privileges, and strengthen authentication controls (strong passwords, multi-factor authentication). Monitor access logs continuously for exploitation attempts and conduct a user access audit to remove unnecessary system permissions.
This analysis is provided for informational purposes and reflects the CVE details as of the publication date. Vendor information, patch availability, and specific remediation guidance should be verified directly with itsourcecode and your organization's security team. SEC.co makes no warranty regarding the completeness or accuracy of third-party patch timelines or product support status. Conduct thorough testing of any security patches in a non-production environment before deployment. This vulnerability assessment does not constitute professional security advice tailored to your specific environment; engage qualified security professionals for architecture review and control implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface