CVE-2026-10256
SQL Injection in itsourcecode CMS 1.0
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | content_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in the itsourcecode Content Management System version 1.0, specifically in the /save_comment.php file. It arises from improper input sanitization of the 'name' parameter, allowing attackers to inject malicious SQL code.
The attack is a time-based blind SQL injection, meaning attackers can manipulate database queries indirectly by observing response times. Remote exploitation is possible, and the exploit code is publicly available.
How can this vulnerability impact me? :
An attacker with valid credentials can exploit this vulnerability to gain unauthorized access to the database. This can lead to data leakage, tampering with data, gaining control over the system, and causing service disruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a time-based blind SQL injection in the 'name' parameter of the /save_comment.php file. Detection can involve sending crafted requests to this endpoint and observing response delays or anomalies indicating SQL injection.
A common approach is to use tools like curl or sqlmap to test the vulnerability by injecting SQL payloads into the 'name' parameter and monitoring the response.
- Example curl command to test for SQL injection timing: curl -X POST -d "name=' OR SLEEP(5)-- " https://targetsite.com/save_comment.php -v
- Using sqlmap to automate detection: sqlmap -u "https://targetsite.com/save_comment.php" --data="name=test" --technique=T --time-sec=5
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements to prevent SQL injection, applying strict input validation on the 'name' parameter, and minimizing database user permissions to limit potential damage.
Additionally, conducting regular security audits and monitoring for suspicious activity can help detect and prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in itsourcecode Content Management System 1.0 allows attackers with valid credentials to perform unauthorized database access, data leakage, tampering, and system control. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Specifically, the exposure or manipulation of sensitive data due to this vulnerability could violate requirements for data confidentiality, integrity, and security under these standards, potentially resulting in legal and financial consequences for affected organizations.