PatchSiren cyber security CVE debrief
CVE-2026-9383 itsourcecode CVE debrief
A SQL injection vulnerability exists in the itsourcecode Electronic Judging System 1.0, specifically within the /intrams/admin/login.php endpoint. The Username parameter is susceptible to injection, enabling remote attackers to manipulate database queries. The vulnerability has been publicly disclosed with exploit availability confirmed, though no known ransomware campaign use has been identified. The CVSS 4.0 vector indicates network attack vector with low complexity, no privileges required, and low impacts across confidentiality, integrity, and availability dimensions. The vulnerability status is currently Deferred in the NVD.
- Vendor
- itsourcecode
- Product
- Electronic Judging System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations operating itsourcecode Electronic Judging System 1.0; security teams managing PHP-based judging or competition platforms; administrators of systems utilizing this specific software package
Technical summary
The itsourcecode Electronic Judging System 1.0 contains a SQL injection vulnerability in the administrative login component. The /intrams/admin/login.php file fails to properly sanitize user-supplied input in the Username parameter, allowing attackers to inject malicious SQL statements. This can be exploited remotely without authentication, potentially enabling unauthorized database access, authentication bypass, or data manipulation. The vulnerability is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Defensive priority
medium
Recommended defensive actions
- Review and restrict network access to /intrams/admin/login.php endpoint
- Implement parameterized queries or prepared statements for Username field
- Apply input validation and sanitization on authentication parameters
- Monitor for suspicious authentication attempts targeting admin login
- Contact itsourcecode for official patch availability
- Consider web application firewall rules to detect SQL injection patterns
Evidence notes
Vulnerability disclosed via GitHub issue and VulDB submission. Vendor identification remains uncertain with low confidence classification.
Official resources
public