CVE-2026-9526

Vulnerability

A SQL injection vulnerability exists in the /admin/edit_team.php file of itsourcecode Electronic Judging System version 1.0 [1]. The num_id parameter is taken from the GET request and directly concatenated into SQL queries without proper sanitization or validation, allowing an attacker to inject arbitrary SQL code [1].

Exploitation

The vulnerability can be exploited remotely without any authentication [1]. An attacker sends a crafted GET request to /admin/edit_team.php with a malicious num_id parameter. Proof-of-concept payloads include boolean-based blind injection and stacked queries, as demonstrated in the public advisory [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access to the database, retrieve sensitive data, modify or delete records, and potentially achieve full control over the system, leading to data leakage, data tampering, and service disruption [1].

Mitigation

No official patch or fixed version has been released by the vendor as of the publication date [1][2]. The software appears to be an older project (2015) and may no longer be maintained. As a workaround, input validation and parameterized queries should be implemented for the num_id parameter. Until a fix is available, restricting network access to the admin interface is recommended.