PatchSiren cyber security CVE debrief
CVE-2026-9527 itsourcecode CVE debrief
A cross-site scripting (XSS) vulnerability exists in itsourcecode Electronic Judging System 1.0, specifically within the `/admin/judges.php` file. The `fname` parameter is susceptible to improper input sanitization, allowing remote attackers to inject malicious scripts. The vulnerability has been publicly disclosed with proof-of-concept availability, though exploitation requires user interaction. The CVSS 4.0 score of 2.1 reflects limited impact scope—successful exploitation affects integrity only, with no confidentiality or availability impact, and requires a victim to interact with the malicious payload. The vulnerability was published to NVD on 2026-05-26 and remains in 'Deferred' status as of the last modification on 2026-05-26.
- Vendor
- itsourcecode
- Product
- Electronic Judging System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations operating itsourcecode Electronic Judging System 1.0; security teams managing PHP-based contest or judging platforms; developers maintaining legacy itsourcecode distributions
Technical summary
The vulnerability resides in the administrative judges management interface (`/admin/judges.php`) of the Electronic Judging System 1.0 distributed by itsourcecode. Insufficient sanitization of the `fname` (first name) parameter enables reflected or stored XSS attacks. The attack surface is limited by the requirement for user interaction and the administrative context of the affected endpoint. No authentication requirements are specified in available data, though administrative paths typically imply prior authentication. The CVSS 4.0 scoring (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N) confirms network exploitability with low complexity but mandates user interaction, resulting in localized integrity impact without broader system compromise.
Defensive priority
low
Recommended defensive actions
- Implement strict input validation and output encoding for the `fname` parameter in `/admin/judges.php`
- Apply context-appropriate sanitization using established libraries (e.g., OWASP Java Encoder, PHP htmlspecialchars)
- Deploy Content Security Policy (CSP) headers to mitigate impact of successful XSS exploitation
- Review and sanitize all user-controllable parameters in administrative interfaces
- Consider Web Application Firewall (WAF) rules to detect and block XSS payloads in the fname parameter
- Verify vendor support status for Electronic Judging System 1.0 and evaluate migration to maintained alternatives
Evidence notes
Vulnerability identified through analysis of the `/admin/judges.php` endpoint with the `fname` parameter as the attack vector. Public disclosure confirmed via GitHub issue tracker. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, but user interaction necessary. Weakness classifications include CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection). Vendor identification remains uncertain—'itsourcecode' appears to be the distribution source rather than a confirmed vendor entity.
Official resources
public