PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10251 itsourcecode CVE debrief

A SQL injection vulnerability exists in itsourcecode Online House Rental System 1.0, specifically in the /ajax.php?action=login endpoint where the Username parameter is improperly sanitized. The vulnerability allows remote attackers to manipulate SQL queries through crafted input. The issue was published on 2026-06-01 and carries a MEDIUM severity CVSS score of 5.5. Public exploit availability increases immediate risk for unpatched instances. The vendor attribution is based on reference domain analysis with low confidence and requires review.

Vendor
itsourcecode
Product
Online House Rental System
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations operating instances of itsourcecode Online House Rental System 1.0, security teams managing PHP-based rental management applications, and defenders responsible for web application security monitoring.

Technical summary

The itsourcecode Online House Rental System 1.0 contains a SQL injection vulnerability in the /ajax.php?action=login endpoint. The Username parameter accepts unsanitized input that is incorporated into SQL queries without proper parameterization or escaping. Remote attackers can exploit this weakness to manipulate database queries. The CVSS 4.0 score of 5.5 reflects network accessibility, low attack complexity, and limited confidentiality, integrity, and availability impacts. Public exploit availability is noted in the source metadata, elevating practical risk. The weakness classifications include CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Defensive priority

medium

Recommended defensive actions

  • Apply input validation and parameterized queries to the Username parameter in /ajax.php?action=login
  • Restrict network access to the affected application if patching is not immediately feasible
  • Monitor database query logs for anomalous patterns indicative of SQL injection attempts
  • Review and update web application firewall rules to detect SQL injection payloads targeting login endpoints
  • Verify vendor attribution and seek official patch from itsourcecode when available

Evidence notes

Vulnerability identified in itsourcecode Online House Rental System 1.0. Affected endpoint: /ajax.php?action=login. Vulnerable parameter: Username. Attack vector: remote. Public exploit availability confirmed per source metadata. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in SQL Command) identified as weakness classifications. Vendor attribution derived from reference domain candidate 'Itsourcecode' with low confidence; canonical source marked as reference_domain_weak. NVD status: Deferred.

Official resources

public