CVE-2026-9525

Vulnerability

A SQL injection vulnerability exists in the /admin/edit_judge.php file of itsourcecode Electronic Judging System version 1.0. The judge_id parameter is directly concatenated into SQL queries without proper sanitization, allowing injection of malicious SQL payloads. [1]

Exploitation

An attacker can exploit this vulnerability remotely without authentication. By sending crafted GET requests with a malicious judge_id parameter, the attacker can perform boolean-based blind SQL injection or stacked queries. Proof-of-concept payloads have been publicly disclosed. [1]

Impact

Successful exploitation leads to unauthorized access to the database, enabling sensitive data leakage, data modification or deletion, and potentially full system compromise. This poses a serious threat to data integrity and system availability. [1]

Mitigation

As of the disclosure date, no official patch or fix has been released. Users should restrict access to the /admin directory, apply input validation on the judge_id parameter, and consider using parameterized queries. The vendor (itsourcecode.com) has not yet provided a security update. [1]