Itsourcecode Systems: Batch of 15 SQLi and XSS Vulnerabilities Disclosed
Key findings • Fifteen vulnerabilities disclosed in Itsourcecode products between June 1-2, 2026. • Vulnerabilities include SQL injection and Cross-Site Scripting (XSS) flaws. • Four high…
Key findings
- Fifteen vulnerabilities disclosed in Itsourcecode products between June 1-2, 2026.
- Vulnerabilities include SQL injection and Cross-Site Scripting (XSS) flaws.
- Four high-severity SQL injection vulnerabilities (CVSSv3 7.3) affect multiple systems.
- Publicly available exploits exist for all disclosed vulnerabilities.
- Affected products include Fees Management System, CMS, House Rental System, and Blood Bank System.
A significant batch of fifteen vulnerabilities affecting multiple Itsourcecode products was disclosed on June 1st and 2nd, 2026. The vulnerabilities, primarily SQL injection flaws with a few cross-site scripting (XSS) issues, span across Itsourcecode's Fees Management System, Content Management System, Online House Rental System, and Online Blood Bank Management System. All disclosed vulnerabilities carry publicly available exploits, raising immediate concerns for users of these systems.
The majority of the disclosed vulnerabilities are SQL injection flaws, with many impacting the handling of ID or Username parameters within various files. For instance, CVE-2026-10568 and CVE-2026-10302 in the Fees Management System, and CVE-2026-10297 in the same system, all stem from manipulations of the 'ID' argument in files like /manage_payment.php, /manage_fee.php, and /manage_course.php respectively. Similarly, the Content Management System is affected by SQL injection vulnerabilities in files such as /admin/edit_topic.php (CVE-2026-10265), /admin/add_sub_topic.php (CVE-2026-10258), and /save_comment.php (CVE-2026-10256), often due to manipulation of 'topic_id' or 'Name' arguments.
The Online House Rental System is particularly affected by high-severity SQL injection flaws. CVE-2026-10253 in /manage_payment.php, CVE-2026-10252 in /manage_tenant.php, and CVE-2026-10251 in /ajax.php?action=login all involve the manipulation of 'ID' or 'Username' parameters, leading to SQL injection. The Online Blood Bank Management System also suffers from high-severity SQL injection, with CVE-2026-10250 in /admin/campsdetails.php and CVE-2026-10249 in /admin/viewrequest.php being directly linked to manipulations of 'hospital' and 'ID' arguments.
Adding to the SQL injection concerns, CVE-2026-10301 in the Fees Management System's index.php file presents a cross-site scripting (XSS) vulnerability, arising from the manipulation of the 'page' argument. While most vulnerabilities are rated Medium (CVSSv3 6.3), four high-severity SQL injection flaws (CVE-2026-10253, CVE-2026-10252, CVE-2026-10251, CVE-2026-10250, CVE-2026-10249) were disclosed with a CVSSv3 score of 7.3.
All fifteen vulnerabilities disclosed in this batch have publicly available exploits. This means that attackers can readily leverage these flaws to compromise affected systems. The descriptions consistently mention that the exploits are public and may be used, highlighting an immediate threat to organizations running these Itsourcecode products. No specific threat actor or campaign has been linked to these disclosures in the provided information, but the widespread nature and public exploitability suggest a high likelihood of opportunistic attacks.
Details regarding specific affected version ranges or patches are not provided in the initial disclosures. However, given the nature of the vulnerabilities, which appear to be related to input validation and sanitization within specific file paths and parameters, users are strongly advised to seek immediate guidance from Itsourcecode regarding available security updates or patches. The consistent disclosure of public exploits across multiple products underscores the urgency for system administrators to assess their exposure and implement necessary security measures.
This concentrated disclosure event, spanning just 18 hours, emphasizes the critical need for proactive security management for Itsourcecode users. The prevalence of SQL injection and the availability of exploits across diverse product lines indicate a systemic issue that requires prompt attention. Organizations should prioritize updating their systems and reviewing their security configurations to mitigate the risks posed by these vulnerabilities.