CVE-2026-10256
Description
SQL injection in itsourcecode Content Management System 1.0 via the 'name' parameter in /save_comment.php allows remote attackers to execute arbitrary SQL queries without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in itsourcecode Content Management System 1.0 via the 'name' parameter in /save_comment.php allows remote attackers to execute arbitrary SQL queries without authentication.
Vulnerability
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 in the file /save_comment.php. The name parameter is not sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL. No authentication is required to reach this endpoint. [2]
Exploitation
An attacker can send a POST request to /save_comment.php with a crafted name parameter containing SQL injection payloads. The reference demonstrates a time-based blind SQL injection using SLEEP(). Tools like sqlmap can automate exploitation. No prior authentication or special network position is required. [2]
Impact
Successful exploitation allows an attacker to extract, modify, or delete database contents. This can lead to sensitive data leakage, data tampering, and potential full system compromise. The confidentiality and integrity of the application are at risk. [2]
Mitigation
No official patch has been released for version 1.0 as of the publication date. Users should restrict access to /save_comment.php, implement prepared statements, or disable the vulnerable functionality until a fix is available. The vendor has not provided a fixed version. [2]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to sanitize or validate the `name` parameter before using it in a SQL query, enabling SQL injection."
Attack vector
An attacker sends a POST request to `/save_comment.php` with a malicious payload in the `name` parameter. The advisory states that no authentication is required, so the attacker can exploit the vulnerability remotely over the network. The provided PoC uses a time-based blind SQL injection payload (`1' AND (SELECT 7513 FROM (SELECT(SLEEP(5)))ASpX) AND 'PRSC'='PRSC`) to exfiltrate data or cause a delay. [ref_id=1]
Affected code
The vulnerability resides in `/save_comment.php` of itsourcecode Content Management System V1.0. The `name` parameter is passed unsanitized into a SQL query, allowing an attacker to inject arbitrary SQL statements. [ref_id=1]
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, which would prevent the injected data from being interpreted as SQL. It also suggests input validation, minimizing database user permissions, and regular security audits. No patch code is provided in the bundle. [ref_id=1]
Preconditions
- networkNo authentication required; the attacker can reach the /save_comment.php endpoint over the network.
- inputThe attacker must be able to send HTTP POST requests with arbitrary form data.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.