{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36952", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T15:31:59.960Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:15:12.489Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-5.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:31:31.135995Z", "id": "CVE-2026-36952", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:31:59.960Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-36952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:31:31.135995Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:31:27.841Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-5.md"}], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:15:12.489Z"}}}, "cveMetadata": {"cveId": "CVE-2026-36952", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:31:59.960Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php."}], "id": "CVE-2026-36952", "lastModified": "2026-04-17T15:28:29.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T17:16:29.230", "references": [{"source": "cve@mitre.org", "url": "https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-5.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "online_thesis_archiving_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T18:57:04.132894+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or repository for an updated version of Sourcecodester Online Thesis Archiving System that addresses this issue.", "Limit access to the /otas/admin/curriculum/manage_curriculum.php endpoint by IP address, VPN, or strict authentication controls.", "Refactor the curriculum management code to use prepared statements or parameterized queries, ensuring that all user input is properly validated before being included in SQL commands."], "summary": {"action": "Patch/Restrict", "impact": "Remote Web Application SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability is limited to the Sourcecodester Online Thesis Archiving System version 1.0, specifically the administrative page that handles curriculum data. No other vendors or product versions are listed in the official record. The flaw exists only in the manage_curriculum.php script exposed to administrative users.", "description_and_impact": "Sourcecodester Online Thesis Archiving System 1.0 contains a SQL injection flaw in the file /otas/admin/curriculum/manage_curriculum.php. The flaw allows an attacker to embed arbitrary SQL code into the input fields of the curriculum management form, which is then executed directly against the underlying database. This type of weakness, classified as CWE-89, can lead to leaking confidential thesis records, modifying or deleting data, and potentially compromising the integrity of the entire archive.", "risk_and_exploitability": "The CVSS score of 2.7 and an EPSS score below 1% indicate that the risk and likelihood of exploitation are relatively low. The vulnerability is not part of the CISA KEV catalog. Exploitation would require access to the vulnerable admin page, which may demand authenticated admin credentials or direct web server reach. If successful, the attacker could execute arbitrary SQL statements, potentially gaining full read or modification capabilities over the thesis database."}}}}, "created": "2026-04-14T16:21:51.333444+00:00", "updated": "2026-04-15T15:45:07.539057+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$online_thesis_archiving_system"]}