CVE-2026-7074
SQL Injection in itsourcecode CMS /execute1.php Allows Remote Exploit
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | construction_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection found in the Construction Management System version 1.0, specifically in the "/execute1.php" file through the 'code' parameter. The application does not properly sanitize or validate this input before using it in SQL queries, allowing attackers to inject malicious SQL code.
The attack can be performed remotely without requiring authentication or prior system access. Exploiting this vulnerability allows an attacker to manipulate SQL queries, potentially leading to unauthorized access to the database, leakage of sensitive data, data tampering, full system control, and service interruptions.
A proof-of-concept demonstrates a time-based blind SQL injection using MySQL's SLEEP function to confirm the vulnerability.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to your database, exposure of sensitive information, alteration or deletion of data, and potential full control over the affected system by an attacker.
It can also lead to service interruptions, affecting business continuity and system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the 'code' parameter in POST requests to the /execute1.php file for injection flaws.
A proof-of-concept uses a time-based blind SQL injection payload that induces a delay using the MySQL SLEEP function.
You can use the sqlmap tool to confirm the vulnerability without requiring authentication.
- Example payload to test the 'code' parameter: code=1' AND (SELECT 5523 FROM (SELECT(SLEEP(5)))VJQr) AND 'PvDl'='PvDl
- Run sqlmap against the target URL with the vulnerable parameter, for example: sqlmap -u "http://target/execute1.php" --data="code=1" --technique=T --time-sec=5
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Use prepared statements and parameter binding to separate SQL code from user input, preventing injection.
- Implement strict input validation and filtering to ensure inputs conform to expected formats, such as numeric patterns for IDs.
- Minimize database user permissions by avoiding high-privilege accounts for routine operations.
- Conduct regular security audits to detect and address vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Construction Management System 1.0 can lead to unauthorized database access, sensitive data leakage, data tampering, and full system control by attackers. Such security breaches can result in the exposure or alteration of personal and sensitive information, which directly impacts compliance with data protection regulations like GDPR and HIPAA that mandate the protection of personal and health-related data.
Failure to prevent such vulnerabilities may lead to violations of these regulations, potentially resulting in legal penalties, loss of customer trust, and damage to business continuity.
Therefore, this vulnerability poses a significant risk to maintaining compliance with common standards and regulations that require safeguarding sensitive data against unauthorized access and manipulation.