CVE-2026-5681

Received Received - Intake

SQL Injection in itsourcecode Parameter Handler Allows Remote Exploit

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description

A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-06

Last Modified

2026-04-29

Generated

2026-05-07

AI Q&A

2026-04-07

EPSS Evaluated

2026-05-05

NVD

CVE-2026-5681

EUVD

EUVD-2026-19466

Affected Vendors & Products

Vendor	Product	Version / Range
itsourcecode	construction_management_system	1.0
itsourcecode	sanitize_or_validate	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This SQL injection vulnerability allows attackers to gain unauthorized access to sensitive data, potentially leading to data leakage, tampering, and full system compromise.

Such unauthorized access and potential exposure of sensitive information can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data.

Failure to prevent such vulnerabilities may lead to violations of these standards, resulting in legal penalties, reputational damage, and loss of trust.

Can you explain this vulnerability to me?

This vulnerability is a SQL injection flaw found in the Construction Management System V1.0, specifically in the "/borrowedequip.php" file through the 'emp_id' GET parameter. The application does not properly sanitize or validate the 'emp_id' input before using it in SQL queries. This allows an authenticated attacker to inject malicious SQL code by manipulating the 'emp_id' parameter after logging in with valid credentials.

The vulnerability enables attackers to alter SQL queries, potentially leading to unauthorized access to the database, leakage of sensitive data, data tampering, full system control, and disruption of services.

How can this vulnerability impact me? :

Exploitation of this SQL injection vulnerability can have severe impacts including unauthorized database access, exposure of sensitive information, modification or deletion of data, complete system compromise, and interruption of normal service operations.

Unauthorized database access
Sensitive data leakage
Data tampering or deletion
Full system control by attackers
Service disruption affecting business continuity

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This SQL injection vulnerability in the '/borrowedequip.php' file can be detected by testing the 'emp_id' GET parameter for injection flaws.

A proof-of-concept uses a time-based blind SQL injection payload to confirm the vulnerability.

You can use the sqlmap tool to test the parameter by running a command similar to:

sqlmap -u "http://target/borrowedequip.php?emp_id=1" --cookie="your_auth_cookie" --technique=T --dbms=MySQL

The payload used in manual testing is: emp_id=1' AND (SELECT 8921 FROM (SELECT(SLEEP(5)))cRbZ) AND 'oinW'='oinW which causes a delay if vulnerable.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

Use prepared statements with parameter binding to separate SQL code from user input, preventing injection.
Implement strict input validation and filtering to ensure inputs conform to expected formats, such as numeric patterns for IDs.
Minimize database user permissions by avoiding high-privilege accounts like 'root' or 'admin' for routine operations.
Conduct regular security audits to detect and remediate vulnerabilities promptly.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-5681

SQL Injection in itsourcecode Parameter Handler Allows Remote Exploit

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart