PatchSiren cyber security CVE debrief
CVE-2026-10249 itsourcecode CVE debrief
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System 1.0, specifically within the /admin/viewrequest.php file. The vulnerability stems from improper sanitization of the 'ID' parameter, allowing remote attackers to manipulate SQL queries. The attack vector is network-based, requires no authentication, and has a low complexity. Public exploit availability increases risk, though the CVSS 4.0 score of 5.5 reflects limited impacts to confidentiality, integrity, and availability. The vendor is currently identified as unknown with low confidence based on reference domain analysis pointing to 'Itsourcecode'.
- Vendor
- itsourcecode
- Product
- Online Blood Bank Management System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running itsourcecode Online Blood Bank Management System 1.0, particularly healthcare or blood bank operations relying on this software for donor and request management. Security teams responsible for PHP web application security and database protection should prioritize assessment.
Technical summary
The /admin/viewrequest.php endpoint in itsourcecode Online Blood Bank Management System 1.0 fails to properly sanitize user-supplied input to the 'ID' parameter, enabling SQL injection. The vulnerability is remotely exploitable without authentication. The CVSS 4.0 base score is 5.5 (MEDIUM) with proof-of-concept exploit availability. Impact scope is limited to the vulnerable component with low severity ratings for confidentiality, integrity, and availability violations. No known ransomware campaign use or CISA KEV listing exists.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries to the ID parameter in /admin/viewrequest.php
- Restrict network access to /admin/ endpoints using IP allowlisting or VPN requirements where possible
- Monitor web application logs for anomalous SQL patterns or unexpected ID parameter values
- Review database account privileges and apply principle of least privilege to limit impact of successful injection
- Contact itsourcecode for patch availability if this is a third-party dependency
- Consider web application firewall (WAF) rules to detect and block common SQL injection payloads targeting the ID parameter
Evidence notes
The vulnerability description identifies /admin/viewrequest.php as the affected file with the 'ID' parameter as the injection point. CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) are the assigned weakness classifications. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, no user interaction, and proof-of-concept exploit availability. Vendor identification is tentative based on reference domain candidate 'Itsourcecode' with low confidence and review flag set.
Official resources
Public disclosure occurred on 2026-06-01. A public issue tracker reference was published alongside the CVE. No known active exploitation or ransomware campaign use has been documented. The vulnerability remains in 'Received' status per NVD,