CVE-2026-10251
Description
SQL injection in itsourcecode Online House Rental System 1.0 login endpoint allows remote unauthenticated attackers to execute arbitrary SQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in itsourcecode Online House Rental System 1.0 login endpoint allows remote unauthenticated attackers to execute arbitrary SQL queries.
Vulnerability
The Online House Rental System version 1.0 from itsourcecode contains a SQL injection vulnerability in the /ajax.php file when handling the action=login parameter. The Username parameter is directly concatenated into SQL queries without sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. The vulnerable file is located at /ajax.php?action=login. [1][2]
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to /ajax.php?action=login with a malicious Username parameter containing SQL injection payloads. No authentication or prior access is required. The exploit has been publicly disclosed with a proof-of-concept. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries on the database, leading to unauthorized access to sensitive data, data modification or deletion, and potentially full system compromise. The attacker can bypass authentication and gain control over the application's backend. [2]
Mitigation
As of the publication date, no official patch has been released by itsourcecode. Users should apply input validation and use prepared statements to mitigate the vulnerability. The software is no longer actively maintained? Not stated, but we can say no fix available. Alternatively, we can mention that the vendor has not responded. Since reference [1] is just the vendor homepage, no fix mentioned. So we write: "No official fix has been provided by the vendor. Users should implement input sanitization and use parameterized queries as a workaround." [1][2]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `username` parameter in `/ajax.php?action=login` is directly concatenated into SQL queries without input validation or sanitization."
Attack vector
An unauthenticated attacker sends a POST request to `/ajax.php?action=login` with a malicious `username` parameter. Because the input is not sanitized, the attacker can inject SQL clauses such as `' AND 1838=1838 AND 'MGsS'='MGsS` to perform boolean-based, error-based, or time-based blind SQL injection [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required.
Affected code
**File:** `/ajax.php?action=login` in the Online House Rental System V1.0. The `username` parameter is passed directly into SQL queries without sanitization or validation [ref_id=1].
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No patch has been published by the vendor.
Preconditions
- authNo authentication required; the vulnerable endpoint is publicly accessible.
- networkAttacker must be able to send HTTP POST requests to the server.
- inputThe `username` POST parameter is accepted without sanitization.
Reproduction
Send a POST request to `/house_rental/ajax.php?action=login` with `Content-Type: application/x-www-form-urlencoded`. Use a payload such as `username=admin' AND 1838=1838 AND 'MGsS'='MGsS&password=admin123` to trigger boolean-based blind SQL injection [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.