CVE-2026-10252: SQL Injection in itsourcecode Online House Rental System 1.0
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0 that allows unauthenticated attackers to inject malicious SQL commands through the ID parameter in the /manage_tenant.php file. This could enable attackers to read, modify, or delete tenant data stored in the application's database without requiring any special credentials or user interaction. The vulnerability is publicly known and exploit code is available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in itsourcecode Online House Rental System 1.0. This affects an unknown function of the file /manage_tenant.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10252 is a remote SQL injection flaw affecting the tenant management functionality in itsourcecode Online House Rental System 1.0. The vulnerability stems from insufficient input validation on the ID parameter passed to /manage_tenant.php, allowing attackers to break out of the intended SQL query context and execute arbitrary database commands. The CVSS 3.1 score of 7.3 (HIGH) reflects network accessibility, low attack complexity, and impacts to confidentiality, integrity, and availability. The vulnerability maps to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection).
Business impact
For organizations deploying itsourcecode Online House Rental System 1.0, this vulnerability poses a direct threat to tenant data confidentiality and system availability. Attackers could extract sensitive personal information (names, contact details, financial records), modify rental agreements or payment records, or corrupt the database entirely. Property management firms relying on this system should expect potential data breach notifications, regulatory compliance issues, customer trust erosion, and operational disruption during remediation.
Affected systems
The vulnerability affects itsourcecode Online House Rental System version 1.0. The vendors_products field in the advisory data is empty, suggesting either a single-vendor exposure or incomplete vendor data. Organizations using any installation of this system should assume exposure and audit their deployments immediately.
Exploitability
This vulnerability has a low barrier to exploitation. No privileges are required to attack it (PR:N), the attack vector is network-based (AV:N), and no special conditions or user interaction are necessary (AC:L, UI:N). The fact that the vulnerability has been publicly disclosed means attack tools and techniques are or will soon be widely available. Active scanning for unpatched instances should be expected imminently.
Remediation
The primary remediation is to upgrade itsourcecode Online House Rental System to a patched version released after this disclosure. Verify the specific patch version against the official itsourcecode vendor advisory. For organizations unable to patch immediately, implement strict input validation and parameterized queries (prepared statements) at the application layer, restrict network access to the application via firewall rules or VPN, and enable comprehensive logging and monitoring of database queries for anomalous patterns.
Patch guidance
Contact itsourcecode directly or monitor their official security advisories for a patched release. Apply patches as soon as they become available, prioritizing this over non-critical updates due to the HIGH severity rating and public exploit availability. Test patches in a staging environment before production deployment to ensure compatibility with tenant data and reporting workflows.
Detection guidance
Monitor web server and application logs for SQL injection patterns in requests to /manage_tenant.php, particularly those containing URL-encoded SQL keywords (e.g., %27%20OR%20, %27%3B%20DROP), unusual ID parameter values, or requests from unexpected network segments. Database logs should be reviewed for anomalous query execution, failed login attempts, or unexpected data modification operations. Intrusion detection systems should be configured to flag suspicious SQL syntax in HTTP traffic destined for this endpoint.
Why prioritize this
Despite the absence of CISA KEV tracking, this vulnerability merits immediate prioritization due to its HIGH CVSS score, network-based attack surface, lack of authentication requirements, and confirmed public disclosure. Any internet-facing deployment of itsourcecode Online House Rental System 1.0 is at immediate risk of compromise. The sensitivity of tenant data (PII, financial records) elevates business risk beyond the technical severity score.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects a HIGH-severity vulnerability with significant exploitability. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicates that the attack is remotely accessible, requires minimal complexity, no privileges, no user interaction, and impacts confidentiality, integrity, and availability within the vulnerable component. The lack of scope change (S:U) means the impact is limited to the affected system rather than cascading to others.
Frequently asked questions
Is this vulnerability actively exploited?
The vulnerability has been publicly disclosed and exploit code is available. While it is not yet tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, public disclosure typically precedes active exploitation by days to weeks. Organizations should assume active scanning and exploitation attempts are underway.
Can network segmentation reduce my risk if I cannot patch immediately?
Yes. Restricting network access to the application via firewall rules, VPN-only access, or IP whitelisting can significantly reduce attack surface. However, this is a temporary measure and should not be considered a substitute for patching. Prioritize upgrading as soon as patches are released.
How do I know if my instance has been compromised?
Review web server access logs for suspicious requests to /manage_tenant.php with unusual ID parameters, database logs for unexpected queries or data changes, and file integrity monitoring for unauthorized changes to application files. Consider engaging a forensic analyst if you suspect compromise, as SQL injection attacks often leave subtle traces.
Does this affect only internet-facing deployments?
While public exploitation is most likely for internet-facing instances, internal deployments connected to untrusted networks or with insider threat potential are also at risk. Audit all instances regardless of network location.
This analysis is provided for informational and defensive purposes. SEC.co does not assist in or condone any unauthorized access to computer systems. Organizations are responsible for determining the applicability of this vulnerability to their specific deployments and for testing patches in non-production environments before production deployment. Verify all patch version numbers and remediation steps against official vendor advisories. For additional context, refer to the official CVE record and vendor security documentation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login