CVE-2026-13550

Received Received - Intake

SQL Injection in Itsourcecode Baptism Information Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description

A weakness has been identified in itsourcecode Baptism Information Management System 1.0. The impacted element is an unknown function of the file /delbaptism.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-13550

EUVD

EUVD-2026-40055

Affected Vendors & Products

Vendor	Product	Version / Range
itsourcecode	baptism_information_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

The CVE-2026-13550 vulnerability affects the Baptism Information Management System version 1.0, specifically in the file delbaptism.php. It is caused by improper sanitization of the "id" parameter, which allows an attacker to inject malicious SQL code directly into database queries.

This SQL injection flaw enables attackers to manipulate the database remotely without requiring login or authorization.

Exploitation can be done using techniques like time-based blind SQL injection and automated tools such as sqlmap.

Immediate mitigation involves using prepared statements with parameter binding, validating and filtering user input, and restricting database user permissions.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to the database, leakage of sensitive data, tampering or modification of data, potential takeover of the system, and disruption of services.

Since the attack can be performed remotely without authentication, it poses a significant security risk to affected systems.

Detection Guidance

The vulnerability in the Baptism Information Management System 1.0 can be detected by testing the "id" parameter in the /delbaptism.php file for SQL injection flaws.

One common method is to use automated tools like sqlmap to test for SQL injection by targeting the vulnerable parameter.

Use sqlmap with a command such as: sqlmap -u "http://target/delbaptism.php?id=1" --batch --dbs
Manually test by injecting SQL payloads into the "id" parameter, for example: http://target/delbaptism.php?id=1' OR '1'='1

Monitoring network traffic for suspicious requests targeting the "id" parameter with SQL injection patterns can also help detect exploitation attempts.

Compliance Impact

The SQL injection vulnerability in the Baptism Information Management System 1.0 allows unauthorized access to the database, which can lead to data leakage, data tampering, and unauthorized system control. Such unauthorized access and potential exposure of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Specifically, the vulnerability could compromise the confidentiality, integrity, and availability of data, which are core principles in these regulations. Failure to protect against such attacks may lead to legal and financial penalties under these standards.

Mitigation Strategies

Immediate mitigation steps include fixing the SQL injection vulnerability by using prepared statements with parameter binding in the /delbaptism.php file.

Additionally, validate and filter all user inputs, especially the "id" parameter, to ensure only expected data is processed.

Restrict database user permissions to the minimum necessary to reduce potential damage if exploitation occurs.

If possible, apply any available patches or updates from the software provider.

Hi! I’m here to help you understand CVE-2026-13550. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in Itsourcecode Baptism Information Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart