CVE-2026-9528

Vulnerability

The itsourcecode Electronic Judging System version 1.0 contains a SQL injection vulnerability in the /admin/delete_judge.php file. The judge_id parameter is directly used in SQL queries without proper sanitization, allowing an attacker to inject malicious SQL statements.

Exploitation

The vulnerability can be exploited remotely without authentication or special privileges. An attacker simply sends a crafted HTTP request to the vulnerable endpoint with a malicious judge_id parameter. A proof-of-concept payload such as judge_id=4'or+sleep(2)--+ demonstrates the injection, causing a time-based delay to confirm the vulnerability [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the backend database. This can lead to unauthorized access to sensitive data, data modification or deletion, and potentially full control of the database server, compromising system confidentiality, integrity, and availability [2].

Mitigation

As of the publication date, no official patch has been released by the vendor. The suggested fix is to use prepared statements with parameter binding to prevent SQL injection [2]. Users should also implement input validation and restrict database privileges until a patch is available.