CVE-2026-10242
Description
itsourcecode Content Management System 1.0 suffers from a SQL injection in /instructions.php via the topic_id parameter, enabling remote unauthenticated data theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
itsourcecode Content Management System 1.0 suffers from a SQL injection in /instructions.php via the topic_id parameter, enabling remote unauthenticated data theft.
Vulnerability
The vulnerability resides in the /instructions.php file of itsourcecode Content Management System version 1.0. The topic_id parameter passed via GET request is not properly sanitized before being used in SQL queries, leading to SQL injection. The affected version is V1.0 as reported by the vendor and the security researcher [2].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication. The attack vector is the topic_id parameter in the GET request. Proof-of-concept payloads have been published, including time-based blind injection (e.g., 1' AND (SELECT 6072 FROM (SELECT(SLEEP(5)))wkSQ) AND 'rAMs'='rAMs) and UNION-based injection (e.g., 1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b7a6a71,....),NULL,NULL,NULL-- -). These demonstrate that an attacker can extract data by observing response timing or by directly retrieving query results [2].
Impact
Successful exploitation allows an attacker to perform unauthorized database operations, including reading sensitive data, modifying or deleting database contents, and potentially gaining comprehensive control over the system. This poses a serious threat to data confidentiality, integrity, and system availability [2].
Mitigation
As of the publication date (2026-06-01), no official patch or fixed version has been released by the vendor. The affected version 1.0 remains vulnerable. Users are advised to apply input validation and parameterized queries to the topic_id parameter as a workaround until a vendor-supplied fix becomes available [2]. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of parameterized queries in `/instructions.php` allow SQL injection via the `topic_id` parameter."
Attack vector
An attacker with valid login credentials sends a crafted GET request to `/instructions.php` with a malicious `topic_id` parameter [ref_id=1]. The application fails to neutralize special SQL syntax in this input, allowing the attacker to inject arbitrary SQL commands [CWE-89]. The researcher demonstrated both time-based blind and UNION query payloads, e.g. `topic_id=1' AND (SELECT 6072 FROM (SELECT(SLEEP(5)))wkSQ) AND 'rAMs'='rAMs` [ref_id=1]. The attack is remotely exploitable over the network with low complexity and requires only low-privilege authentication [ref_id=1].
Affected code
The vulnerability resides in the file `/instructions.php` of itsourcecode Content Management System V1.0 [ref_id=1]. The `topic_id` GET parameter is passed unsanitized into SQL queries, with no input validation or parameter binding applied [ref_id=1].
What the fix does
No patch has been published by the vendor. The researcher recommends using prepared statements with parameter binding to separate SQL code from user input, strictly validating and filtering input (e.g., ensuring `topic_id` matches a numeric pattern), minimizing database user permissions, and conducting regular security audits [ref_id=1].
Preconditions
- authAttacker must have valid login credentials for the Content Management System
- networkAttacker must be able to send HTTP GET requests to the /instructions.php endpoint
- inputThe topic_id parameter must be accepted without sanitization or validation
Reproduction
1. Log in to the Content Management System with valid credentials. 2. Send a GET request to `/instructions.php?topic_id=1' AND (SELECT 6072 FROM (SELECT(SLEEP(5)))wkSQ) AND 'rAMs'='rAMs` to confirm time-based blind SQL injection. 3. Alternatively, send a UNION query payload: `topic_id=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b7a6a71,0x746346546d7661594b67776141694158697946414f58444c784a70585855724b5775455674477547,0x716b6b7871),NULL,NULL,NULL-- -` to extract data [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.