PatchSiren cyber security CVE debrief
CVE-2026-9525 itsourcecode CVE debrief
A SQL injection vulnerability exists in itsourcecode Electronic Judging System 1.0, specifically in the /admin/edit_judge.php endpoint where the judge_id parameter is improperly sanitized. The vulnerability allows remote attackers to manipulate database queries through crafted input to this parameter. The issue was disclosed publicly on 2026-05-26 with exploit details available. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and low impacts across confidentiality, integrity, and availability dimensions. The vulnerability is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
- Vendor
- itsourcecode
- Product
- Electronic Judging System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running itsourcecode Electronic Judging System 1.0; security teams monitoring PHP-based judging or competition management platforms; defenders responsible for database-backed web applications with administrative interfaces
Technical summary
The itsourcecode Electronic Judging System 1.0 contains a SQL injection vulnerability in the administrative endpoint /admin/edit_judge.php. The judge_id parameter accepts user input without proper sanitization or parameterization, allowing attackers to inject malicious SQL commands. This is a classic injection flaw (CWE-89) where untrusted data is sent to an interpreter as part of a command or query. The attack can be executed remotely without authentication requirements, though the specific privilege level needed for /admin/ endpoint access is not fully specified in available sources. The vulnerability's deferred status in NVD suggests additional analysis may be pending.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries to the judge_id parameter in /admin/edit_judge.php
- Restrict network access to administrative endpoints such as /admin/edit_judge.php
- Monitor database query logs for anomalous patterns indicative of SQL injection attempts
- Review application code for similar unsanitized input handling patterns
- Consider web application firewall rules to detect and block SQL injection payloads
Evidence notes
Vulnerability disclosed via GitHub issue and VulDB submission. Exploit details publicly available as of CVE publication date.
Official resources
public