{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36874", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-13T20:42:54.500Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:16:56.807Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:28:18.210845Z", "id": "CVE-2026-36874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:42:54.500Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php."}], "id": "CVE-2026-36874", "lastModified": "2026-04-13T15:01:43.663", "metrics": {}, "published": "2026-04-13T13:16:41.673", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Undergoing Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-13T13:21:21.718948+00:00", "value": {"mitigation_remediation": ["Apply the latest patched release of Sourcecodester Basic Library System v1.0 if one is available.", "If no patch is available, modify the application to use parameterized queries or stored procedures to eliminate unsanitized input.", "Escalate database account privileges to the minimum required for the application to function, preventing widespread damage if injection succeeds.", "Implement input validation to reject suspicious characters or patterns before they reach the database layer.", "Enable logging and monitor for anomalous SQL activity that could indicate an ongoing attack."], "summary": {"action": "Patch Immediately", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected application is Sourcecodester Basic Library System version 1.0, a web-based library management system. The specific file exposed is /librarysystem/load_student.php, which processes user input without proper sanitization. No additional vendor or product information is provided.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary SQL commands into the query executed by /librarysystem/load_student.php. This could enable unauthorized reading of student records, modification of data, or even deletion of the database, thereby compromising the confidentiality, integrity, and availability of the system. The weakness can be identified as an SQL Injection flaw.", "risk_and_exploitability": "The CVSS score is not supplied, but the nature of SQL injection typically represents a high severity risk. Because the attack vector involves a web form or URL parameter, an external attacker can likely exploit the flaw remotely without needing privileged access. EPSS information is unavailable and the vulnerability is not listed in CISA's KEV catalog, so the likelihood of exploitation is uncertain, yet the potential impact warrants immediate attention."}}}}, "created": "2026-04-13T14:27:00.116588+00:00", "title": "SQL Injection Vulnerability in Basic Library System v1.0", "updated": "2026-04-13T14:27:00.116612+00:00", "vendors": [], "weaknesses": ["CWE-89"]}