CVE-2026-10253: SQL Injection in itsourcecode Online House Rental System 1.0
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The vulnerability is located in the /manage_payment.php file, specifically in how it processes the ID parameter. An attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive payment and rental data. The vulnerability requires no authentication, can be exploited over the network, and exploit code is publicly available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in itsourcecode Online House Rental System 1.0. This impacts an unknown function of the file /manage_payment.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10253 is a SQL injection flaw (CWE-89) in itsourcecode Online House Rental System 1.0 affecting the /manage_payment.php endpoint. The ID argument fails to properly sanitize user input before incorporating it into database queries. The attack vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a network-accessible vulnerability requiring no privileges or user interaction. The underlying weakness is classified as CWE-74 (Improper Neutralization of Special Elements in Output).
Business impact
Organizations deploying itsourcecode Online House Rental System 1.0 face exposure of sensitive payment information, tenant data, and property details. SQL injection attacks could enable attackers to read, modify, or delete database records, compromising tenant privacy and financial transaction integrity. Given the public availability of exploit code, the risk of active exploitation is elevated. Rental platforms may face regulatory penalties, reputational damage, and loss of customer trust if sensitive data is compromised.
Affected systems
The vulnerability affects itsourcecode Online House Rental System version 1.0. Organizations should verify whether this specific version is deployed in their infrastructure. The vulnerability is not known to affect other products or versions based on available information, though patch or upgrade guidance should be obtained directly from itsourcecode.
Exploitability
This vulnerability is readily exploitable. The CVSS score of 7.3 (HIGH) reflects the ease of attack: no authentication is required, the attack complexity is low, no user interaction is necessary, and the vulnerability is remotely accessible. Public exploit code availability significantly increases real-world risk. An attacker needs only network access and knowledge of the vulnerable endpoint to attempt exploitation.
Remediation
Upgrade itsourcecode Online House Rental System to a patched version released after the vulnerability discovery. Verify patch availability directly from itsourcecode's official advisory or support channels. As an interim measure, implement network-level access controls to restrict access to /manage_payment.php to trusted administrative networks only. Input validation and parameterized queries should be implemented if a patch is not immediately available.
Patch guidance
Contact itsourcecode directly or consult their official security advisory for patched version information and deployment instructions. Given the HIGH severity and public exploit availability, patching should be prioritized for immediate deployment. Test patches in a non-production environment before full rollout. If patches are unavailable, implement compensating controls such as Web Application Firewall (WAF) rules to block malicious SQL injection patterns targeting the /manage_payment.php endpoint.
Detection guidance
Monitor web server and application logs for suspicious SQL syntax in HTTP requests targeting /manage_payment.php, particularly in the ID parameter. Look for patterns such as UNION-based queries, Boolean-based blind SQL injection, or time-based payloads. Implement WAF rules to detect and block common SQL injection signatures. Database query logging should be enabled to catch attempted unauthorized data access. Monitor for unexpected database errors or performance anomalies that may indicate active exploitation attempts.
Why prioritize this
This vulnerability merits immediate remediation due to its HIGH CVSS score (7.3), public exploit availability, direct impact on sensitive payment and rental data, and lack of authentication barriers. The combination of network accessibility, low attack complexity, and confidentiality/integrity/availability impact makes it an attractive target for opportunistic attackers. Organizations should treat this as a critical remediation priority.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects a HIGH severity vulnerability due to: (1) Network accessibility requiring no authentication (AV:N, PR:N), (2) Low attack complexity (AC:L) and no user interaction required (UI:N), and (3) Confidentiality, integrity, and availability impact (C:L/I:L/A:L). The unchanged scope (S:U) prevents the score from reaching CRITICAL threshold, but the public exploit availability and real-world impact elevate operational risk significantly beyond the base score.
Frequently asked questions
Is there a patch available for CVE-2026-10253?
Patch availability has not been announced in public advisories as of the latest update. Contact itsourcecode directly through their official support channels to inquire about security updates. If patches are not available, implement the compensating controls outlined in the detection and remediation sections, including WAF rules and access restrictions.
Can this vulnerability be exploited without network access or special privileges?
Yes. The vulnerability requires no authentication (PR:N) and is remotely accessible (AV:N), meaning any attacker with network connectivity to the vulnerable application can attempt exploitation. This makes it a significant risk even for systems behind firewalls if the vulnerable endpoint is exposed to the Internet.
What data could an attacker access through this SQL injection?
An attacker could potentially read, modify, or delete any data accessible by the database user running the application, typically including tenant information, rental contracts, payment records, and property details. The exact scope depends on database permissions and configuration, but payment systems typically store sensitive personal and financial data.
Should we disable the Online House Rental System entirely until a patch is available?
Disabling the system should be considered if no compensating controls are viable and the system is exposed to untrusted networks. However, implementing strict network access controls (limiting access to /manage_payment.php to trusted IP addresses) and deploying WAF rules may allow continued operation while reducing risk. Evaluate the business need against the security risk and implement the most appropriate control strategy for your organization.
This analysis is based on publicly available information as of June 2026 and reflects the vulnerability's status at that time. Patch availability, vendor statements, and threat intelligence may evolve; consult itsourcecode's official security advisories for the most current guidance. CVSS scores are provided as-is from authoritative sources and represent base metrics; environmental scoring should be applied based on your organization's specific configuration and risk tolerance. This advisory does not constitute legal advice or guarantee against exploitation. Organizations should conduct their own risk assessments and implement controls appropriate to their threat environment and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login