PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10253 itsourcecode CVE debrief

A SQL injection vulnerability exists in itsourcecode Online House Rental System 1.0, specifically within the /manage_payment.php file. The ID parameter is susceptible to manipulation, allowing remote attackers to inject arbitrary SQL commands. The vulnerability was disclosed publicly on 2026-06-01 and is rated MEDIUM severity with a CVSS score of 5.5. The exploit is publicly available, increasing the risk of active exploitation. The vendor attribution is based on weak reference domain evidence (itsourcecode) and requires review for confirmation. No known ransomware campaign use or CISA KEV listing is present.

Vendor
itsourcecode
Product
Online House Rental System
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running itsourcecode Online House Rental System 1.0, particularly those exposing /manage_payment.php to untrusted networks. Web application security teams, PHP application developers, and property management software operators should prioritize patching or implementing defensive controls.

Technical summary

The vulnerability is a SQL injection (CWE-89) in the /manage_payment.php endpoint of itsourcecode Online House Rental System 1.0. The ID parameter accepts unsanitized user input that is concatenated into SQL queries. Attackers can exploit this remotely without authentication to manipulate database queries. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and no user interaction, with low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed, though the vulnerability status in NVD is currently Deferred.

Defensive priority

medium

Recommended defensive actions

  • Apply input validation and parameterized queries to the ID parameter in /manage_payment.php
  • Restrict network access to the administrative payment management interface if not required externally
  • Monitor web application logs for suspicious SQL injection patterns targeting /manage_payment.php
  • Contact itsourcecode for official patch availability and apply updates when released
  • Review database user privileges to enforce least privilege and limit impact of successful injection

Evidence notes

Vulnerability disclosed via VulDB and NVD on 2026-06-01. Public exploit reference available through GitHub issue. Vendor identification derived from reference domain candidate with low confidence.

Official resources

public