Itsourcecode: 10 SQLi and XSS Flaws Disclosed Across Three PHP Applications
Ten vulnerabilities — nine SQL injection and one cross-site scripting — were disclosed across three Itsourcecode PHP applications between May 24 and May 27, 2026, with public exploit code already available.
Key findings
- Nine SQL injection and one XSS vulnerability disclosed across three Itsourcecode PHP applications
- All three affected products — Courier Management System, Student Transcript Processing System, and Electronic Judging System — are version 1.0
- Public exploit code has been released for the majority of the disclosed flaws
- No official patches have been issued by Itsourcecode as of publication
- The batch is part of a larger 19-CVE disclosure wave across Sourcecodester-affiliated products
A batch of ten CVEs spanning three Itsourcecode PHP applications — Courier Management System 1.0, Student Transcript Processing System 1.0, and Electronic Judging System 1.0 — was published between May 24 and May 27, 2026, with the overwhelming majority being SQL injection flaws accompanied by publicly released exploit code.
The disclosure window opened on May 24 with CVE-2026-9383, a high-severity SQL injection (CVSS 7.3) in the Electronic Judging System's /intrams/admin/login.php file, where the Username parameter can be manipulated remotely. Two days later, on May 26, four more SQLi CVEs landed for the same product: CVE-2026-9525 in /admin/edit_judge.php (judge_id parameter), CVE-2026-9526 in /admin/edit_team.php (num_id parameter), and CVE-2026-9528 in /admin/delete_judge.php (judge_id parameter) — all rated high severity at CVSS 7.3. A single medium-severity cross-site scripting bug, CVE-2026-9527 (CVSS 4.3), was also disclosed for the Electronic Judging System on the same day, affecting the /admin/judges.php file via the fname argument.
The Student Transcript Processing System 1.0 contributed three high-severity SQLi CVEs, all published on May 26. CVE-2026-9573 targets the studentId parameter in /admin/modules/student/index.php?view=view. CVE-2026-9574 affects both the studentId and cid parameters in /admin/modules/student/trans.php. CVE-2026-9575 targets the ID parameter in /admin/modules/class/index.php?view=view. All three carry a CVSS score of 7.3 and have public exploit code available.
The Courier Management System 1.0 rounds out the batch with two SQLi CVEs published on May 27. CVE-2026-9606 (CVSS 7.3) affects the ID parameter in /manage_user.php, while CVE-2026-9607 (CVSS 6.3, medium severity) affects the s parameter in /parcel_list.php. Both are remotely exploitable with publicly disclosed exploits.
Public exploit code has been released for the majority of the disclosed flaws, significantly lowering the barrier to attack. As of publication, no official patches have been issued by Itsourcecode for any of the three affected products. Users running Courier Management System 1.0, Student Transcript Processing System 1.0, or Electronic Judging System 1.0 should consider these applications vulnerable and apply strict input validation, parameterized queries, and web application firewall (WAF) rules as interim mitigations.
This batch is part of a broader disclosure wave affecting Sourcecodester-affiliated PHP applications. A related report from Vypr Intelligence documented 19 CVEs across six products in a three-day window (May 23–26, 2026), with SQL injection dominating the set. The pattern underscores a persistent weakness in PHP-based academic and administrative web applications where user-supplied input is passed directly into database queries without sanitization or prepared statements.
Organizations using any of these three Itsourcecode applications should treat them as high-risk until official patches are released. The availability of public exploit code means that unpatched instances are likely to be scanned and targeted by automated attack tools in the coming days.