CVE-2026-10251: SQL Injection in itsourcecode Online House Rental System 1.0
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. An attacker can send a specially crafted request to the login functionality via the Username parameter to execute arbitrary database commands. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to exposed instances. Public exploit code is available, increasing the likelihood of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in itsourcecode Online House Rental System 1.0. The impacted element is an unknown function of the file /ajax.php?action=login. Executing a manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10251 is a SQL injection flaw (CWE-89) in the /ajax.php?action=login endpoint of itsourcecode Online House Rental System 1.0. The Username parameter fails to properly sanitize or parameterize user input before constructing SQL queries. This improper input handling (CWE-74) allows unauthenticated, remote attackers to inject malicious SQL syntax with no user interaction required. The vulnerability carries a CVSS v3.1 score of 7.3 (HIGH) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network-exploitable impact on confidentiality, integrity, and availability.
Business impact
Successful exploitation could allow attackers to extract sensitive tenant or landlord information (names, contact details, financial records), modify or delete rental records, or degrade system availability. For property management organizations using this system, data breaches expose customer privacy and create regulatory compliance risks. Attackers may also establish persistence for further lateral movement if the system is networked with internal infrastructure.
Affected systems
itsourcecode Online House Rental System version 1.0 is confirmed vulnerable. Organizations running this specific version should immediately audit their deployment scope and network exposure. Verify whether your systems are running this version and whether instances are accessible from untrusted networks or the internet.
Exploitability
This vulnerability has high exploitability. It requires no authentication, no user interaction, and network access only—all factors that make it practical to exploit at scale. Public exploit code is available, meaning threat actors have pre-built tools to test and target unpatched systems. The unauthenticated nature and network accessibility significantly lower the barrier to entry for attackers.
Remediation
Patch or upgrade itsourcecode Online House Rental System to a version released after this vulnerability's disclosure. Consult the vendor's official advisory for specific patched versions. Until patching is possible, restrict network access to the affected application using firewall rules or WAF policies, disable the /ajax.php endpoint if not required, and implement IP allowlisting for legitimate administrative access.
Patch guidance
Contact itsourcecode for an official security update addressing CVE-2026-10251. Verify the patched version number against the vendor's advisory before deployment. Test patches in a non-production environment first to ensure compatibility with your rental operations. After patching, restart the affected service to activate the fixes.
Detection guidance
Monitor HTTP requests to /ajax.php?action=login for suspicious patterns in the Username parameter, including SQL metacharacters (single quotes, semicolons, comment markers like -- or /*). Configure WAF rules to block or alert on SQL injection signatures in login attempts. Review database query logs for unusual or malformed SQL statements originating from the web application. Check application logs for authentication failures or error messages that may indicate injection attempts.
Why prioritize this
This vulnerability merits immediate attention due to its remote, unauthenticated exploitability, publicly available exploit code, and direct impact on sensitive data. The HIGH CVSS score reflects meaningful risk to confidentiality, integrity, and availability. Organizations should prioritize patching or mitigation within days, not weeks, particularly if the system handles personal or financial information.
Risk score, explained
The CVSS v3.1 score of 7.3 (HIGH) reflects the combination of network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impacts across confidentiality, integrity, and availability (C:L/I:L/A:L). The availability of public exploits and lack of barriers to exploitation elevate real-world risk beyond the base score.
Frequently asked questions
Is this vulnerability actively being exploited?
Public exploit code is available, which significantly increases the likelihood of active exploitation. However, CVE-2026-10251 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations should assume exploitation is possible and treat this as a high-priority risk regardless of KEV status.
Can this vulnerability be exploited without network access to the system?
No. The vulnerability requires network access to the /ajax.php endpoint. However, if your instance is internet-facing or accessible from an untrusted network, that access requirement is trivially met. Review your network segmentation and firewall rules immediately.
What data is at risk if this system is compromised?
A successful attack could expose tenant and landlord personal information, property details, rental agreements, payment records, and contact information stored in the database. The scope of exposure depends on what data your organization stores in this system.
Do I need to wait for an official patch to mitigate this risk?
No. While patching is the preferred long-term solution, you should immediately implement interim controls: restrict network access via firewall, disable the vulnerable endpoint if possible, implement WAF rules, and monitor for exploitation attempts. These actions reduce risk while you coordinate patching.
This analysis is based on publicly disclosed vulnerability information available as of the publication date. Organizations should verify patch availability and compatibility with their specific deployment before applying updates. SEC.co does not endorse any particular vendor product or patch version; consult official vendor advisories for authoritative guidance. Exploit code references in this document are for defensive awareness only; unauthorized access to computer systems remains illegal. Your organization's risk posture may differ based on network architecture, data sensitivity, and operational context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login