CVE-2026-10265: SQL Injection in itsourcecode CMS 1.0 Admin Interface
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 that allows authenticated users to manipulate the topic_id parameter in the /admin/edit_topic.php file to execute arbitrary SQL queries. An attacker with valid admin credentials can exploit this to read, modify, or delete database records. Public exploits are available, elevating operational risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in itsourcecode Content Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_topic.php. Such manipulation of the argument topic_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10265 is a SQL injection flaw arising from improper input validation in the topic_id parameter of the edit_topic.php administrative endpoint. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection), indicating that user-supplied input is concatenated directly into SQL queries without parameterization or escaping. The attack vector is network-based, requires valid authentication (PR:L), and can compromise the confidentiality, integrity, and availability of backend data.
Business impact
Successful exploitation could allow an authenticated attacker to exfiltrate sensitive content stored in the CMS database, modify or delete published content, create unauthorized administrative accounts, or degrade service availability. For organizations relying on this CMS for customer-facing or internal documentation, data integrity compromise and potential regulatory violations (depending on data classification) represent material business risk. The presence of public exploits reduces the barrier to weaponization.
Affected systems
itsourcecode Content Management System version 1.0 is confirmed vulnerable. Organizations running this version in any production or development environment where user accounts have access to /admin/edit_topic.php are at direct risk. The scope is limited to version 1.0; verify whether your deployment includes this version and whether administrative access is appropriately restricted.
Exploitability
The CVSS 3.1 score of 6.3 (Medium severity) reflects a network-accessible vulnerability requiring low-impact authentication. However, the availability of public exploits and the straightforward nature of SQL injection attack vectors mean that technical exploitation is relatively straightforward for someone with admin-level access or who can obtain valid credentials through other means. The attack does not require user interaction and leaves a minimal footprint if logging is not enabled.
Remediation
Immediate action is to upgrade itsourcecode Content Management System to a patched version that includes input validation and parameterized queries. If an immediate upgrade is not possible, implement network segmentation to restrict access to /admin/edit_topic.php to trusted administrative IP ranges, enforce multi-factor authentication for admin accounts, and enable comprehensive SQL query logging and alerting. Apply the principle of least privilege to database service accounts used by the CMS.
Patch guidance
Consult the itsourcecode vendor advisory or release notes for version numbers that address CVE-2026-10265. Upgrade to the latest stable release that includes fixes for SQL injection in the admin interface. Prior to deployment, test the patch in a non-production environment to verify compatibility with custom extensions or data migrations. Verify against the vendor advisory for specific version recommendations and any dependency updates required.
Detection guidance
Monitor web server access logs for POST or GET requests to /admin/edit_topic.php containing SQL keywords or encoded payloads in the topic_id parameter (e.g., UNION, SELECT, OR 1=1). Implement Web Application Firewall (WAF) rules to block common SQL injection patterns. Enable database query logging and alert on unexpected UNION queries or attempts to access system tables from the CMS application user. Review admin access logs for unusual bulk operations or data exports coinciding with suspicious requests.
Why prioritize this
Despite a Medium CVSS score, this vulnerability warrants prompt remediation because: (1) public exploits exist, reducing time-to-weaponization; (2) it affects the administrative interface, granting authenticated attackers database-level access; (3) the CMS likely stores business-critical or customer data; and (4) the fix is typically a straightforward vendor patch. Organizations should prioritize this above lower-impact vulnerabilities but below critical remote code execution flaws affecting unauthenticated users.
Risk score, explained
The CVSS 3.1 base score of 6.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) that requires valid authentication (PR:L) and causes low-impact confidentiality, integrity, and availability breaches (C:L/I:L/A:L) within a single security scope (S:U). The Medium severity designation is appropriate for a database-level integrity threat that requires credentials but poses real operational and compliance risk in most environments.
Frequently asked questions
Do we need to be authenticated to exploit this vulnerability?
Yes. The CVSS vector specifies PR:L (privileged required), meaning the attacker must possess valid administrative credentials to reach and manipulate the /admin/edit_topic.php endpoint. However, if admin credentials are weak, shared, or obtained through phishing, this requirement becomes a minor barrier.
Is this vulnerability tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog?
No. CVE-2026-10265 is not currently listed in the KEV catalog, though public exploits do exist. Organizations should not interpret KEV absence as a sign of low urgency; KEV inclusion is a compliance requirement for federal contractors but does not reflect the true threat landscape.
What is the difference between CWE-74 and CWE-89 in this context?
CWE-89 (SQL Injection) is the specific, direct root cause. CWE-74 (Improper Neutralization of Special Elements in Output) is a broader category reflecting the underlying weakness in output encoding and parameterization. Remediation focuses on CWE-89: using parameterized queries or prepared statements.
Can we temporarily mitigate this without upgrading the CMS?
Partial mitigation is possible through network controls (IP whitelisting, WAF rules blocking SQL keywords in topic_id, multi-factor authentication for admin accounts) and logging/alerting. However, these are defense-in-depth measures and do not eliminate the vulnerability itself. A vendor patch or upgrade remains the definitive remediation.
This analysis is based on published CVE data as of the modification date (2026-06-17). Actual severity and exploitability may vary depending on your environment, network architecture, and compensating controls. Always verify patch availability and compatibility against official vendor advisories before deploying updates. SEC.co provides this information for informational purposes; conduct your own risk assessment and consult with your security team before taking remedial action. No warranty is provided regarding the accuracy or completeness of this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface