CVE-2026-9574 itsourcecode CVE debrief

Who should care

Organizations running itsourcecode Student Transcript Processing System 1.0; educational institutions using this transcript management software; security teams responsible for web application security in academic environments; database administrators managing student record systems

Technical summary

The vulnerability resides in the /admin/modules/student/trans.php endpoint of itsourcecode Student Transcript Processing System 1.0. The studentId and cid parameters are vulnerable to SQL injection due to improper input sanitization. An unauthenticated remote attacker can craft malicious requests to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. The CVSS 4.0 score of 5.5 (MEDIUM) reflects the network accessibility and proof-of-concept exploit availability, though impacts are rated as low across confidentiality, integrity, and availability dimensions.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and parameterized queries to the studentId and cid parameters in /admin/modules/student/trans.php
• Review and restrict database user privileges to limit impact of potential SQL injection
• Monitor web application logs for suspicious SQL injection patterns targeting the identified endpoint
• Contact itsourcecode for official patch availability and vendor confirmation
• Consider web application firewall rules to detect and block SQL injection attempts against the affected parameters

Evidence notes

Vulnerability disclosed via VulDB with references to GitHub issue and vendor website. CVSS 4.0 vector provided with exploit availability flag set to 'P' (Proof-of-concept). CPE criteria not available in source data. Vendor identification derived from reference domain candidate 'Itsourcecode' with low confidence flag.

Official resources