CVE-2026-9527

Vulnerability

A cross-site scripting (XSS) vulnerability exists in itsourcecode Electronic Judging System version 1.0, specifically in the /admin/judges.php file. The application fails to properly sanitize user input supplied through the fname argument before rendering it in the web page, enabling injection of arbitrary HTML and JavaScript. The vulnerability is publicly disclosed and proof-of-concept code has been published [1][2].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or any special privileges [2]. By crafting a malicious payload in the fname parameter, such as `, and sending the request to the vulnerable endpoint, the injected script executes in the browser of any administrator or user who visits the /admin/judges.php` page. No user interaction beyond visiting the page is needed [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context. This can lead to theft of cookies or session tokens, impersonation of the victim, defacement of the page, redirection to malicious sites, or other unauthorized actions within the application. The attacker effectively gains the same access privileges as the victim, posing a serious threat to user privacy and system security [2].

Mitigation

As of publication, no official fix has been released by itsourcecode. The vendor has not announced a patched version or provided a timeline for remediation. Recommended workarounds include implementing output encoding for all user-supplied data, particularly the fname field, before rendering it in the response, and deploying a web application firewall (WAF) to block known XSS payloads until a formal patch arrives [2].