CVE-2026-10252
Description
SQL injection in /manage_tenant.php allows unauthenticated remote attackers to execute arbitrary SQL queries, leading to data breach or compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in /manage_tenant.php allows unauthenticated remote attackers to execute arbitrary SQL queries, leading to data breach or compromise.
Vulnerability
A SQL injection vulnerability exists in the /manage_tenant.php file of itsourcecode Online House Rental System version 1.0. The id parameter is directly used in SQL queries without proper sanitization or validation, allowing attackers to inject malicious SQL code. No authentication is required to exploit this vulnerability [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to /house_rental/manage_tenant.php?id=. The provided proof-of-concept demonstrates that the injection point is accessible remotely without any prior authentication. The attacker only needs to manipulate the id parameter to execute arbitrary SQL statements [2].
Impact
Successful exploitation can lead to unauthorized database access, disclosure of sensitive information, data modification or deletion, full system control, and potential service disruption. This poses a serious threat to system security and business continuity [2].
Mitigation
As of the publication date, no official fix has been released by the vendor. Users are advised to implement input validation and parameterized queries, or deploy a web application firewall (WAF) to mitigate the risk. The affected version is 1.0; upgrading to a patched version, if available in the future, is recommended [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `/manage_tenant.php` is used directly in SQL queries without input validation or sanitization, enabling SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to `/manage_tenant.php` with a malicious `id` parameter. Because the parameter is used directly in SQL queries, the attacker can perform boolean-based blind, error-based, time-based blind, or UNION-based SQL injection [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required.
Affected code
The vulnerability resides in `/manage_tenant.php` of itsourcecode Online House Rental System 1.0. The `id` parameter is taken directly from the GET request and interpolated into SQL queries without sanitization or prepared statements [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding to separate SQL code from user data, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No official patch has been published by the vendor.
Preconditions
- networkThe attacker must be able to send HTTP requests to the server hosting the vulnerable application.
- authNo authentication or login is required to reach the vulnerable endpoint.
- inputThe `id` parameter is accepted via GET and passed unsanitized into SQL queries.
Reproduction
Send a GET request to `/house_rental/manage_tenant.php?id=3 AND 3340=3340` to confirm boolean-based blind injection. For time-based blind, use `id=3 AND (SELECT 4213 FROM (SELECT(SLEEP(5)))CnHb)`. The full PoC request is provided in the reference write-up [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.