CVE-2026-15672
Received Received - Intake

SQL Injection in Electronic Judging System 1.0

Vulnerability report for CVE-2026-15672, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: VulDB

Description

A vulnerability was determined in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /intrams/admin/add_judges.php. This manipulation of the argument fname causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode electronic_judging_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection (SQLi) flaw in the Itsourcecode Electronic Judging System 1.0. It specifically affects the file `/intrams/admin/add_judges.php`, where the `fname` parameter is improperly sanitized or validated. An attacker can manipulate this parameter to inject malicious SQL queries into the application's database.

SQL injection occurs when user-supplied input is directly concatenated into SQL statements without proper escaping or parameterization. This allows attackers to alter the structure of the query, potentially gaining unauthorized access to the database, extracting sensitive data, modifying or deleting records, or even executing administrative operations on the database server.

  • The vulnerability can be exploited remotely, meaning an attacker does not need physical access to the system to execute the attack.
  • A proof-of-concept exploit has been publicly disclosed, demonstrating the vulnerability by causing a delay in the database response, confirming the ability to inject arbitrary SQL commands.
Impact Analysis

The SQL injection vulnerability in the Electronic Judging System can have severe consequences for individuals or organizations using the affected software. Here are the potential impacts:

  • Unauthorized Data Access: Attackers can extract sensitive information from the database, such as user credentials, personal data, or confidential records.
  • Data Tampering: Malicious actors can modify, delete, or insert false data into the database, compromising the integrity of the system's records.
  • System Compromise: In some cases, SQL injection can lead to full control over the underlying system, allowing attackers to execute commands, install malware, or pivot to other systems in the network.
  • Loss of Trust: A successful attack can erode trust in the system, especially if sensitive or personal data is exposed or manipulated.
  • Operational Disruption: The system may become unstable or unavailable due to malicious queries, leading to downtime or loss of functionality.

The CVSS scores (v3.1: 6.3, v2.0: 6.5) indicate a medium to high severity, reflecting the potential for significant damage if exploited.

Compliance Impact

This SQL injection vulnerability can have serious implications for compliance with various data protection and privacy regulations, depending on the type of data processed by the Electronic Judging System. Below are the potential impacts on common standards and regulations:

  • GDPR (General Data Protection Regulation): If the system processes personal data of EU citizens, this vulnerability could lead to a data breach, resulting in unauthorized access to or disclosure of personal data. GDPR requires organizations to implement appropriate technical measures to protect personal data. Failure to address this vulnerability could result in non-compliance, leading to hefty fines (up to 4% of global annual revenue or €20 million, whichever is higher) and reputational damage.
  • HIPAA (Health Insurance Portability and Accountability Act): If the system handles protected health information (PHI), this vulnerability could expose sensitive patient data. HIPAA mandates strict safeguards for PHI, and a breach due to SQL injection could result in violations, fines, and legal consequences for covered entities and business associates.
  • PCI DSS (Payment Card Industry Data Security Standard): If the system processes payment card information, this vulnerability could lead to the exposure of cardholder data. PCI DSS requires secure handling of such data, and a breach could result in non-compliance, fines, or loss of the ability to process payments.
  • Other Regulations: Depending on the jurisdiction and industry, other standards such as FISMA (Federal Information Security Management Act), SOX (Sarbanes-Oxley Act), or industry-specific guidelines may also be impacted. Non-compliance could lead to legal penalties, loss of certifications, or contractual liabilities.

To maintain compliance, organizations must address this vulnerability promptly by applying patches, implementing secure coding practices (e.g., prepared statements, input validation), and conducting regular security audits.

Detection Guidance

To detect the SQL injection vulnerability in the Electronic Judging System 1.0, you can perform the following steps:

  • Identify if the vulnerable file `/intrams/admin/add_judges.php` exists on your system. This can be done using a simple file search command, such as:
  • `find /var/www/ -name "add_judges.php"` (Linux) or `dir /s add_judges.php` (Windows).
  • Test for the vulnerability by sending a crafted HTTP request to the `fname` parameter with a SQL injection payload. For example, you can use a tool like `curl` to send a request that triggers a delay in the database response, as demonstrated in the proof-of-concept:
  • `curl -X POST "http://<target>/intrams/admin/add_judges.php" -d "fname=test' OR (SELECT * FROM (SELECT(SLEEP(5)))a)-- -"`.
  • If the response is delayed by 5 seconds, the system is likely vulnerable to SQL injection.

Additionally, you can use automated vulnerability scanners like OWASP ZAP or Burp Suite to detect SQL injection vulnerabilities in web applications.

Mitigation Strategies

To mitigate the SQL injection vulnerability in the Electronic Judging System 1.0, take the following immediate steps:

  • Apply input validation to the `fname` parameter in `/intrams/admin/add_judges.php` to ensure only expected characters are accepted. Use allowlists for valid input patterns.
  • Replace raw SQL queries with prepared statements (parameterized queries) to separate SQL logic from user-supplied data. For example, in PHP, use `mysqli_prepare()` or PDO prepared statements.
  • Restrict database user permissions to minimize potential damage. Ensure the application's database user has only the necessary privileges (e.g., read/write access limited to specific tables).
  • Deploy a Web Application Firewall (WAF) to filter out malicious SQL injection attempts while a permanent fix is implemented.
  • Monitor logs for suspicious activity, such as unusual SQL queries or repeated failed login attempts, which may indicate exploitation attempts.

For long-term security, conduct a full security audit of the application, including code reviews and penetration testing, to identify and address other potential vulnerabilities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart