{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36948", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T13:20:38.064Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:05:19.460Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:20:33.386521Z", "id": "CVE-2026-36948", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:20:38.064Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-36948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:20:33.386521Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:20:26.424Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-1.md"}], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:05:19.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-36948", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:20:38.064Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php."}], "id": "CVE-2026-36948", "lastModified": "2026-04-17T15:28:29.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T17:16:28.993", "references": [{"source": "cve@mitre.org", "url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "v1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "online_thesis_archiving_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T15:35:56.180879+00:00", "value": {"mitigation_remediation": ["Update the Sourcecodester Online Thesis Archiving System to the latest available version that includes a fix for the SQL injection flaw.", "If no official patch exists, modify the database access layer in /otas/view_archive.php to use parameterized queries or proper escaping to prevent malformed SQL.", "Implement authentication controls so that only authorized users can access the view_archive.php endpoint, reducing the attack surface.", "Run a comprehensive web application vulnerability scan after applying changes to confirm the issue has been resolved."], "summary": {"action": "Apply patch", "impact": "SQL injection leading to unauthorized data access or modification"}, "threat_synthesis": {"affected_systems": "The software affected is the Sourcecodester Online Thesis Archiving System version 1.0. No vendor name is provided in the CNA mapping and the product appears to be a community\u2011developed PHP application used for storing academic theses. The only explicit version information available is v1.0; further details such as patch levels are not disclosed.", "description_and_impact": "A classic SQL injection vulnerability exists in the sourcecodester online thesis archiving system v1.0, specifically within the file /otas/view_archive.php. The flaw allows an attacker to inject arbitrary SQL code into the database query, which can result in the leakage of confidential thesis documents, alteration of stored records, or deletion of data. As the injection occurs in a publicly accessible endpoint, any user with network access to the web application could potentially exploit it. The weakness is identified as a classic input validation failure (CWE\u201189).", "risk_and_exploitability": "The CVSS base score of 7.3 indicates a high severity level, with the attack requiring local or remote code execution through the web layer. EPSS indicates a low probability of exploitation (<1%), and the issue is not listed in the CISA KEV catalog. The likely attack vector is through HTTP requests sent to /otas/view_archive.php with crafted parameters, a typical scenario for web\u2011application SQL injection. Without mitigation, an attacker could read or modify the underlying MySQL database used by the application."}}}}, "created": "2026-04-14T16:21:53.567302+00:00", "updated": "2026-04-14T16:35:43.165536+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$online_thesis_archiving_system"]}