{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36236", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:25:25.580Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T14:47:13.962Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Amorsec/CVE-PHP/blob/main/sourcecodester-Engineers_Online_Portal_in_PHP_update_password.php_sql_injection.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:22:14.227663Z", "id": "CVE-2026-36236", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:25:25.580Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-36236", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:22:14.227663Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:24:02.262Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Amorsec/CVE-PHP/blob/main/sourcecodester-Engineers_Online_Portal_in_PHP_update_password.php_sql_injection.pdf"}], "descriptions": [{"lang": "en", "value": "SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T14:47:13.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-36236", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:25:25.580Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:janobe:engineers_online_portal:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "461D780B-1D99-40B8-BE65-497FAD073EBE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter."}], "id": "CVE-2026-36236", "lastModified": "2026-04-14T17:42:10.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T15:16:25.197", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/Amorsec/CVE-PHP/blob/main/sourcecodester-Engineers_Online_Portal_in_PHP_update_password.php_sql_injection.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "engineers_online_portal", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T19:35:57.521199+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or upgrade to a newer, patched version of SourceCodester Engineers Online Portal", "Refactor the update_password.php logic to use parameterized queries or prepared statements for all database interactions", "Validate and sanitize the new_password input, rejecting suspicious characters before processing", "Restrict access to the password update endpoint so that only authenticated users can invoke it and enforce strong session management", "Monitor web logs for anomalous activity targeting the update_password.php URL and investigate suspicious requests"], "summary": {"action": "Immediate Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is Janobe\u2019s SourceCodester Engineers Online Portal, version 1.0. The CPE confirms that only this exact version is vulnerable. No other vendors or product versions are listed in the CNA data, so administrators should verify that they are running this specific version and that update_password.php is hosted in their environment.", "description_and_impact": "SourceCodester Engineers Online Portal version 1.0 contains an unsanitized SQL injection flaw in the update_password.php script where the new_password parameter is directly concatenated into a database query. This weakness, identified as CWE-89, permits an attacker to modify the intended SQL statement and execute arbitrary commands against the underlying database. Successful exploitation could result in unauthorized reading, alteration, or deletion of sensitive data stored in the portal\u2019s database, thereby compromising data integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. EPSS is reported to be less than 1%, suggesting that while the flaw is severe, its exploitation probability is currently low, possibly due to limited public exposure or lack of known exploit code. The vulnerability does not appear in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a remote HTTP request to the password update endpoint. If an attacker can reach update_password.php, either as an authenticated user or, if the endpoint is publicly accessible, they could craft a malicious new_password value to inject arbitrary SQL statements, potentially gaining unauthorized data access or manipulating application data."}}}}, "created": "2026-04-13T12:51:42.427611+00:00", "title": "SQL Injection in SourceCodester Engineers Online Portal Password Update", "updated": "2026-04-15T16:00:07.796463+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$engineers_online_portal"]}