VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-10265

CVE-2026-10265

Description

SQL injection in itsourcecode Content Management System 1.0 via topic_id parameter in /admin/edit_topic.php allows remote attackers to execute arbitrary SQL queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in itsourcecode Content Management System 1.0 via `topic_id` parameter in `/admin/edit_topic.php` allows remote attackers to execute arbitrary SQL queries.

Vulnerability

The vulnerability exists in itsourcecode Content Management System version 1.0, specifically in the file /admin/edit_topic.php. The topic_id parameter is not properly sanitized before being used in SQL queries, allowing SQL injection. The affected version is V1.0 [2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication [2]. The parameter topic_id is passed via GET request. A UNION-based SQL injection payload can be used to extract data. The exploit is publicly available [description].

Impact

Successful exploitation allows an attacker to access unauthorized database content, leak sensitive data, tamper with data, and potentially gain comprehensive control over the system, leading to service interruption [2].

Mitigation

As of the publication date, no official patch has been released. The vendor homepage is itsourcecode.com [1]. Users should apply input validation and parameterized queries to mitigate the risk. The CVE is not listed on CISA KEV.

References
  1. Itsourcecode | Free Source Code & Capstone Projects 2026
  2. itsourcecode Content Management System V1.0 SQL Injection Vulnerability

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application fails to sanitize or validate the `topic_id` GET parameter before using it in SQL queries, enabling SQL injection."

Attack vector

An attacker sends a crafted GET request to `/admin/edit_topic.php` with a malicious `topic_id` parameter, such as a UNION-based payload. The advisory states that exploitation requires valid login credentials, but also notes 'No AUTHENTICATION REQUIRED' — the bundle is contradictory on this point. The attack is remote and can be performed with standard HTTP tools like sqlmap. [ref_id=1]

Affected code

The vulnerability exists in `/admin/edit_topic.php` of itsourcecode Content Management System V1.0. The `topic_id` GET parameter is passed unsanitized into SQL queries, allowing an attacker to inject arbitrary SQL statements. [ref_id=1]

What the fix does

The advisory recommends using prepared statements with parameter binding, strict input validation and filtering (e.g., ensuring `topic_id` is numeric), minimizing database user permissions, and conducting regular security audits. No patch diff is provided in the bundle, so the exact code changes are unknown. [ref_id=1]

Preconditions

  • networkThe attacker must be able to send HTTP GET requests to the target server.
  • authThe advisory is contradictory: it states 'No AUTHENTICATION REQUIRED' but also says exploitation requires valid credentials.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.