CVE-2026-10258: SQL Injection in itsourcecode CMS 1.0 Admin Interface
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the topic_id parameter in the /admin/add_sub_topic.php file to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in itsourcecode Content Management System 1.0. Impacted is an unknown function of the file /admin/add_sub_topic.php. This manipulation of the argument topic_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10258 is a SQL injection flaw (CWE-89) arising from improper input validation (CWE-74) in itsourcecode CMS 1.0's administrative add_sub_topic.php endpoint. The topic_id parameter fails to properly sanitize or parameterize user input before it is incorporated into SQL queries. An authenticated attacker with administrative or contributor-level access can craft malicious SQL payloads within the topic_id argument to execute arbitrary database operations. The CVSS v3.1 score of 6.3 (Medium) reflects the requirement for prior authentication, though the attack carries network-accessible exploitability and potential confidentiality, integrity, and availability impact. Public exploit code availability increases practical risk.
Business impact
Exploitation of this vulnerability enables attackers with valid CMS credentials to exfiltrate sensitive content stored in the database, modify or delete editorial records, or potentially escalate privileges within the application. For organizations relying on itsourcecode CMS 1.0 for content management, this creates a data breach and service disruption risk. The requirement for authenticated access somewhat limits exposure; however, compromised staff accounts, weak password policies, or insider threats amplify the risk profile. Public exploit availability shortens the window between discovery and active exploitation.
Affected systems
itsourcecode Content Management System version 1.0 is affected. The vulnerability resides in the administrative interface and requires valid login credentials to trigger, so exposure is limited to systems where the CMS is deployed and administrative interfaces are accessible to staff or potentially external users. No version information beyond 1.0 is provided in the source data; verify with the vendor whether later versions are affected or patched.
Exploitability
The vulnerability has been published with public exploit code available, reducing the barrier to weaponization. Exploitation requires network access and valid authentication credentials—a meaningful but not insurmountable constraint. The attack vector is straightforward: craft a malicious SQL string in the topic_id parameter and submit it via the /admin/add_sub_topic.php endpoint. No special privileges, user interaction, or complex prerequisites are necessary beyond valid login. Given the public availability of working exploits and the relative simplicity of SQL injection techniques, opportunistic or targeted attackers could rapidly instrument this vulnerability.
Remediation
Organizations using itsourcecode CMS 1.0 should immediately contact the vendor to obtain patched or updated versions. In the interim, mitigate risk by restricting access to the /admin/ directory to a whitelist of trusted IP addresses, enforcing strong multi-factor authentication for all administrative accounts, and monitoring database query logs for anomalous SQL patterns. Consider implementing a Web Application Firewall (WAF) rule set to detect and block common SQL injection payloads targeting the topic_id parameter. If the CMS cannot be patched or updated in your environment, evaluate migration to an alternative supported CMS platform.
Patch guidance
Verify the availability of security updates or patches from itsourcecode by consulting their official vendor advisory and security bulletins. Apply patches to the CMS application as soon as they become available. Ensure that any patched version of itsourcecode CMS 1.0 is deployed across all instances in your environment, including development, staging, and production systems. Test patches thoroughly in a non-production environment before rollout to production to confirm compatibility with your existing workflows and integrations.
Detection guidance
Monitor access logs for the /admin/add_sub_topic.php endpoint, particularly for POST requests with unusual or encoded topic_id values containing SQL metacharacters (e.g., single quotes, semicolons, OR/AND operators, UNION keywords). Enable database query logging and search for suspicious SQL commands executed from the CMS application user account, such as SELECT statements targeting system tables or UNION-based queries. Network-based detection can be aided by WAF rules or intrusion detection systems configured to identify SQL injection attack signatures. Examine administrative user account activity for logins from unusual geographic locations or at abnormal hours, as this may indicate credential compromise preceding exploitation attempts.
Why prioritize this
Although the CVSS score of 6.3 places this vulnerability in the Medium severity category, several factors warrant higher prioritization: (1) public exploit code is available, dramatically reducing the technical barrier to exploitation; (2) SQL injection attacks frequently lead to full database compromise, allowing exfiltration or destruction of sensitive content; (3) administrative interfaces are often targeted by both external attackers and malicious insiders; and (4) itsourcecode CMS 1.0 appears to lack widespread vendor support or rapid patch cycles based on limited vendor/product metadata, suggesting a longer remediation window. Organizations running this CMS should treat this as a priority remediation item even if categorized as Medium severity.
Risk score, explained
CVE-2026-10258 received a CVSS v3.1 score of 6.3 (Medium severity) based on the following factors: the attack vector is network-accessible (AV:N), the attack complexity is low (AC:L), and prior user authentication is required (PR:L). The impact assessment spans confidentiality, integrity, and availability (C:L, I:L, A:L), each rated as low in isolation because the scope is unchanged (S:U). The Medium rating appropriately reflects the requirement for valid credentials, which narrows the attack surface. However, the public availability of exploit code and the typical high impact of SQL injection in real-world scenarios suggest organizations should apply additional risk context beyond the base CVSS score when prioritizing remediation efforts.
Frequently asked questions
Do I need administrative credentials to exploit this vulnerability?
Yes. The vulnerability requires valid authentication to the CMS before the SQL injection payload can be delivered via the /admin/add_sub_topic.php endpoint. This could be a staff account, a compromised contractor login, or a weak password exposure. Multi-factor authentication and strong password hygiene are important mitigating controls.
How can I tell if my itsourcecode CMS 1.0 instance has been compromised by this flaw?
Look for suspicious database activity around the topic_id parameter, unexpected changes to content or administrative records, unusual SQL queries in database logs, and authentication logs showing logins from unfamiliar IP addresses or at odd times. If you suspect compromise, isolate the affected system, preserve logs for forensic analysis, and consult a cybersecurity incident response team.
What should I do if I cannot update my CMS immediately?
Restrict access to the /admin/ directory via firewall rules or network segmentation, enforce multi-factor authentication for all admin accounts, enable comprehensive logging of database and application events, and consider deploying a WAF with SQL injection detection rules. These do not eliminate the risk but significantly reduce the attack surface and dwell time if an attacker attempts exploitation.
Is this vulnerability being actively exploited in the wild?
The vulnerability was published on 2026-06-01 with public exploit code made available. While there is no official confirmation in the provided data that active in-the-wild exploitation is occurring, the combination of public exploits and relatively low attack complexity means malicious actors could begin targeting vulnerable instances quickly. Treat this as a high-urgency remediation priority.
This analysis is provided for informational purposes by SEC.co and is based on publicly disclosed vulnerability data as of 2026-06-17. The information herein should not be construed as professional security advice. Organizations should verify all patch versions, vendor advisories, and technical guidance directly with itsourcecode and consult their own security teams before implementing any remediation measures. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this content. Use of this information is at the reader's sole discretion and risk. Always conduct thorough testing in non-production environments before deploying patches or configuration changes to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface