CVE-2026-2087
📋 TL;DR
This SQL injection vulnerability in SourceCodester Online Class Record System 1.0 allows attackers to manipulate database queries through the user_email parameter in the admin login page. Attackers can potentially extract sensitive data, modify database contents, or bypass authentication. Any organization using this specific version of the software is affected.
💻 Affected Systems
- SourceCodester Online Class Record System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution if database permissions allow.
Likely Case
Unauthorized access to sensitive student/teacher data, grade manipulation, and potential system takeover through admin account compromise.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.
🎯 Exploit Status
Exploit published on GitHub, requires no authentication, and SQL injection is well-understood by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.sourcecodester.com/
Restart Required: No
Instructions:
1. Check vendor website for updates 2. If patch available, download and apply 3. Replace vulnerable login.php file 4. Test authentication functionality
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize user_email parameter
Modify /admin/login.php to include input sanitization for email fields
Web Application Firewall Rule
allBlock SQL injection patterns in user_email parameter
Add WAF rule to detect and block SQL injection attempts on /admin/login.php
🧯 If You Can't Patch
- Restrict access to /admin/ directory using IP whitelisting or authentication
- Implement database user with minimal permissions (read-only if possible)
🔍 How to Verify
Check if Vulnerable:
Test /admin/login.php with SQL injection payloads in user_email parameter and observe database errors or unexpected behavior.Check Version:
Check software version in admin panel or readme filesVerify Fix Applied:
Attempt SQL injection after applying fixes and confirm proper error handling without database exposure.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL syntax in login attempts
- Multiple failed login attempts with SQL characters
- Database error logs showing SQL injection patterns
Network Indicators:
- HTTP POST requests to /admin/login.php containing SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/admin/login.php" AND (user_email CONTAINS "' OR" OR user_email CONTAINS "UNION" OR user_email CONTAINS "SELECT")