CVE-2026-10242: SQL Injection in itsourcecode CMS 1.0 /instructions.php
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in the /instructions.php file. An attacker with user-level access can manipulate the topic_id parameter to execute unauthorized database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is remotely exploitable and public exploit code is available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in itsourcecode Content Management System 1.0. This impacts an unknown function of the file /instructions.php. This manipulation of the argument topic_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10242 is a SQL injection flaw (CWE-89) resulting from improper neutralization of special elements used in SQL commands (CWE-74). The vulnerability exists in /instructions.php where the topic_id argument is insufficiently sanitized before being used in database queries. The attack requires an authenticated session (PR:L in CVSS terms) but no user interaction. Successful exploitation grants an attacker the ability to read, modify, or delete database records depending on the application's database permissions and query context.
Business impact
Organizations running itsourcecode CMS 1.0 face data confidentiality, integrity, and availability risks. Attackers with valid credentials can exfiltrate customer records, modify content or user accounts, or degrade system availability through resource-intensive queries. The combination of authentication requirement and public exploit availability increases the risk of insider threats or compromised account abuse.
Affected systems
itsourcecode Content Management System version 1.0 is affected. No patched versions or alternative products are identified in the source data; organizations should verify current deployment versions against the vendor advisory and check for upgrade paths.
Exploitability
The vulnerability carries a CVSS 3.1 score of 6.3 (Medium) with a network-accessible attack vector and low attack complexity. Exploitation requires valid user credentials, which limits opportunistic attacks but increases risk in environments with poor access controls or credential compromise. Public availability of exploit code lowers the barrier to weaponization.
Remediation
Apply vendor security updates as soon as they become available. Until patching is possible, implement network segmentation and restrict access to /instructions.php to trusted users only. Monitor database query logs for suspicious patterns, particularly those involving UNION, SELECT, or comment sequences in the topic_id parameter. Consider implementing a Web Application Firewall (WAF) rule to block common SQL injection payloads targeting this endpoint.
Patch guidance
Check the itsourcecode vendor advisory for patches addressing CVE-2026-10242. Verify the specific version numbers and test in a non-production environment before deployment. Given the authenticated attack vector, ensure that access controls to the CMS are reviewed in parallel with patching.
Detection guidance
Monitor for HTTP requests to /instructions.php containing SQL metacharacters or keywords in the topic_id parameter (e.g., single quotes, UNION, OR, --). Log all authenticated access to this endpoint and correlate with user behavior baselines. Database query logs should be analyzed for unexpected table access or queries originating from the CMS application context.
Why prioritize this
Although rated CVSS Medium, this vulnerability should be prioritized because: (1) public exploits are available, (2) the attack surface includes all authenticated users, (3) SQL injection directly threatens data confidentiality and integrity, and (4) the file /instructions.php likely handles user-controlled input in a business-critical context. Organizations should address this within 30–60 days depending on user access patterns.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a networked, unauthenticated-exposure barrier (PR:L) balanced against full impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The score does not account for the amplifying factor of public exploit availability, which raises operational risk above the base numeric score.
Frequently asked questions
Does this vulnerability require the attacker to be an administrator?
No. The CVSS vector PR:L indicates the attacker needs only low-level user credentials, not administrative privileges. Any authenticated user of the CMS can exploit this vulnerability.
What is the difference between CWE-74 and CWE-89 in this context?
CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) is the parent weakness; CWE-89 (SQL Injection) is the specific manifestation. The vulnerability occurs because user input is not properly escaped before being used in SQL commands.
Is there a way to use this vulnerability without user credentials?
Based on the CVSS vector, authentication is required. However, attackers may combine this with credential compromise or weak password policies to gain initial access.
Should I immediately shut down my CMS while waiting for a patch?
Not necessarily, but reduce exposure by restricting CMS access to trusted networks, enforcing strong authentication, and monitoring /instructions.php activity. A complete shutdown should be considered only if the system is directly exposed to untrusted networks with no compensating controls.
This analysis is based on publicly disclosed vulnerability information as of the publication date. Actual impact and exploit difficulty may vary depending on deployment configuration, database backend, and access control posture. Organizations should verify patch availability and compatibility with their specific itsourcecode version and environment. No proof-of-concept code or detailed exploitation steps are provided herein. This information is intended for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface