I found a vulnerability in a web app developed by my university. Can it have a CVE number?


The short answer is No.

If it is a closed source product and it is not off the shelf or being sold, assigning a CVE number has no advantage.

In fact, the CVE assignment authorities would not consider such a request.

Please ensure that the provider or product is present in the products and sources
List cve.mitre.org/cve/data_sources_product_coverage.html

A CVE number is a way to alert the public of a problem in applications that they may use. It is not a posterity number.

You should contact those responsible for maintaining the system and disclose them as soon as possible to minimize the risk of a malicious actor finding what is found.