PatchSiren cyber security CVE debrief
CVE-2026-36874 Razormist CVE debrief
CVE-2026-36874 describes a SQL injection vulnerability affecting Basic Library System v1.0 in /librarysystem/load_student.php. NVD rates the issue LOW with a CVSS 3.1 score of 2.7. The published evidence indicates limited confidentiality impact and no integrity or availability impact, but the attack vector still matters because exposed deployments may allow privileged or authenticated access paths to be abused.
- Vendor
- Razormist
- Product
- CVE-2026-36874
- CVSS
- LOW 2.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-13
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-04-13
- Advisory updated
- 2026-05-10
Who should care
Organizations running Basic Library System v1.0, especially if /librarysystem/load_student.php is reachable in production or used by privileged accounts. Application owners, administrators, and security teams should review deployments that match the NVD CPE and the affected endpoint.
Technical summary
NVD lists the vulnerable product as cpe:2.3:a:razormist:basic_library_system:1.0 and classifies the weakness as CWE-89 (SQL Injection). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, which indicates a network-reachable issue with low attack complexity but requiring high privileges, no user interaction, and only limited confidentiality impact. The NVD reference set also points to a third-party advisory on GitHub for the reported issue.
Defensive priority
Low to moderate. The score is low and the CVSS vector shows high privileges are required, but the issue still warrants remediation in any live deployment because SQL injection can expose data and indicate unsafe query handling.
Recommended defensive actions
- Identify whether Basic Library System v1.0 is deployed and whether /librarysystem/load_student.php is reachable in your environment.
- Apply any vendor or maintainer fix referenced by the official CVE/NVD record as soon as it is available.
- Review the affected code path for parameterized queries and other SQL injection protections.
- Restrict access to the affected endpoint to only necessary authenticated administrative users until remediated.
- Validate inputs server-side and remove direct concatenation of request data into SQL statements.
- Monitor logs for unusual requests targeting load_student.php and investigate any suspicious database access patterns.
Evidence notes
This debrief is based only on the supplied CVE record, NVD metadata, and the linked third-party advisory reference. The CVE description states SQL injection in /librarysystem/load_student.php. NVD metadata supplies the affected CPE, CWE-89 mapping, CVSS vector, and reference URL. The vendor/product naming in the provided corpus is not fully consistent across fields, so the debrief keeps the product identification tied to the NVD CPE and the CVE description rather than inferring additional details.
Official resources
-
CVE-2026-36874 CVE record
CVE.org
-
CVE-2026-36874 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
CVE published on 2026-04-13 and last modified on 2026-05-10. The debrief reflects the published CVE and NVD metadata as provided in the source corpus.