CVE-2026-10258

Vulnerability

The vulnerability resides in the /admin/add_sub_topic.php file of itsourcecode Content Management System version 1.0. The application fails to properly sanitize or validate the topic_id parameter before incorporating it into SQL queries. An attacker who has logged in with valid credentials can inject malicious SQL code through this GET parameter [1], [2]. The issue is classified as a SQL injection, with the vulnerable parameter being topic_id.

Exploitation

To exploit the vulnerability, an attacker must have valid login credentials for the administrative interface, as the vulnerable page is located under the /admin/ directory. With a valid session, the attacker sends a crafted GET request to /admin/add_sub_topic.php with a malicious topic_id value. The public proof-of-concept demonstrates a UNION-based injection that extracts data by concatenating arbitrary strings into the query result. The provided PoC payload uses a UNION ALL SELECT with 18 NULL columns to map the query structure [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the backend database. This can lead to unauthorized access to sensitive data, data tampering, and potentially full system compromise depending on the database server's configuration. The attacker can extract or modify any information stored in the database, including user credentials, session data, and other application content [2].

Mitigation

As of the available references, no official patch or fixed version has been released by itsourcecode. The vendor homepage [1] does not mention a security update. Users should consider implementing input validation and parameterized queries for the topic_id parameter in /admin/add_sub_topic.php as a workaround. A web application firewall (WAF) may also help mitigate exploitation until an official fix is provided.