Itsourcecode Fees Management System: Three Medium-Severity Flaws Disclosed Together
Key findings • Three medium-severity vulnerabilities disclosed together for Itsourcecode Fees Management System 1.0. • Includes two SQL injection flaws (CVE-2026-10809, CVE-2026-10808) and on…
Key findings
- Three medium-severity vulnerabilities disclosed together for Itsourcecode Fees Management System 1.0.
- Includes two SQL injection flaws (CVE-2026-10809, CVE-2026-10808) and one XSS flaw (CVE-2026-10810).
- Vulnerabilities affect core files: navbar.php, manage_user.php, and manage_student.php.
- Exploits for all three vulnerabilities are publicly available, increasing immediate risk.
- Affected versions are up to 1.0; users should seek vendor patches.
On June 4, 2026, a cluster of three medium-severity vulnerabilities was disclosed for the Itsourcecode Fees Management System, affecting version 1.0. These issues, all disclosed simultaneously, include two SQL injection flaws and one cross-site scripting (XSS) vulnerability. The disclosures highlight potential remote attack vectors that could be exploited by malicious actors.
The vulnerabilities were identified in core components of the system, specifically within the navbar.php, manage_user.php, and manage_student.php files. The SQL injection flaws, tracked as CVE-2026-10809 and CVE-2026-10808, stem from the manipulation of the 'ID' argument in the manage_user.php and manage_student.php files, respectively. These vulnerabilities allow attackers to inject malicious SQL code, potentially leading to unauthorized data access or modification.
Complementing the SQL injection risks, CVE-2026-10810 presents a cross-site scripting vulnerability. This flaw resides in the navbar.php file and is triggered by manipulating the 'page' argument. Successful exploitation of this XSS vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or the redirection of users to malicious sites.
All three vulnerabilities are rated as medium severity, with CVSSv3 scores of 4.3 for the XSS flaw and 6.3 for the SQL injection flaws. Notably, the descriptions for all three CVEs indicate that exploits have been made publicly available. This public availability significantly increases the risk of these vulnerabilities being actively exploited in the wild, as attackers can readily access and utilize proof-of-concept code.
As of the disclosure date, the Itsourcecode Fees Management System version 1.0 is affected. While specific patch details were not immediately available in the disclosure, users of the system are strongly advised to seek updates or security advisories from Itsourcecode. Given the public availability of exploits, prompt patching or mitigation is crucial to protect against potential attacks.
The simultaneous disclosure of these vulnerabilities suggests a coordinated effort to bring these security weaknesses to light. Users should prioritize addressing these issues to maintain the integrity and security of their student management data. Further information regarding specific fixes and recommended actions should be sought directly from the vendor.