CVE-2026-10265 itsourcecode CVE debrief

Who should care

Organizations running itsourcecode Content Management System 1.0 with exposed administrative interfaces; security teams monitoring for SQL injection in PHP-based CMS platforms; defenders tracking publicly disclosed vulnerabilities with available exploits

Technical summary

The /admin/edit_topic.php endpoint in itsourcecode Content Management System 1.0 fails to properly sanitize the topic_id parameter, allowing SQL injection. The vulnerability is remotely exploitable with low privileges and no user interaction required. Impact is limited per CVSS 4.0 scoring (VC:L/VI:L/VA:L). The exploit has been assessed as publicly available (E:P).

Defensive priority

LOW

Recommended defensive actions

• Apply input validation and parameterized queries for the topic_id parameter in /admin/edit_topic.php
• Restrict administrative interface access to trusted networks
• Monitor for anomalous database query patterns from the CMS administrative functions
• Review vendor security advisories from itsourcecode for official patches when available

Evidence notes

Vulnerability identified in /admin/edit_topic.php through topic_id parameter manipulation. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction. Weaknesses mapped to CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection). Vendor identification based on reference domain candidate 'Itsourcecode' with low confidence. CNA source is VulDB. NVD status is 'Received' as of publication date.

Official resources