Skip to content
Threat Feed
high threat

itsourcecode Electronic Judging System 1.0 SQL Injection Vulnerability (CVE-2026-9525)

A SQL Injection vulnerability exists in itsourcecode Electronic Judging System version 1.0 in the /admin/edit_judge.php file. By manipulating the judge_id argument, an attacker could execute arbitrary SQL commands on the system. The vulnerability can be triggered remotely and has a public exploit available.

A SQL Injection vulnerability, identified as CVE-2026-9525, has been discovered in itsourcecode Electronic Judging System 1.0. The vulnerability is located in the /admin/edit_judge.php file and can be exploited by manipulating the judge_id argument. This flaw allows remote attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The existence of a public exploit increases the risk of widespread exploitation. Given the nature of SQL injection vulnerabilities, successful exploitation can have significant consequences for the affected system and its data.

Attack Chain

  1. An attacker identifies an instance of itsourcecode Electronic Judging System 1.0.
  2. The attacker crafts a malicious HTTP request targeting the /admin/edit_judge.php file.
  3. The request includes a manipulated judge_id parameter containing SQL injection payload.
  4. The server-side application fails to properly sanitize the input.
  5. The application executes the attacker’s SQL injection payload against the database.
  6. The attacker gains unauthorized access to sensitive data, such as usernames, passwords, or judging criteria.
  7. The attacker modifies or deletes data within the database, potentially disrupting the judging process.

Impact

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive judging system data. This includes potential access to judge profiles, scoring data, and system configurations. Attackers could modify results, compromise the integrity of the competition, or gain persistent access to the system. Given a CVSS v3.1 score of 7.3, this vulnerability is considered high severity.

Recommendation

  • Apply appropriate input validation and sanitization techniques to all user-supplied input, especially within the /admin/edit_judge.php file, to prevent SQL injection attacks.
  • Deploy the Sigma rule “Detect CVE-2026-9525 Exploitation Attempt via Malicious judge_id Parameter” to detect exploitation attempts.
  • Restrict access to the /admin/edit_judge.php page to authorized personnel only, implementing strong authentication and authorization controls.
  • Regularly review and update the itsourcecode Electronic Judging System to the latest version or apply available patches to address known vulnerabilities, referencing CVE-2026-9525.

Detection coverage 2

Detect CVE-2026-9525 Exploitation Attempt via Malicious judge_id Parameter

high

Detects CVE-2026-9525 exploitation attempts by identifying SQL injection payloads in the judge_id parameter within requests to /admin/edit_judge.php

sigma tactics: initial_access techniques: T1190, T1505.003 sources: webserver

Detect CVE-2026-9525 Exploitation Attempt via POST Request

high

Detects CVE-2026-9525 exploitation attempt via POST request to /admin/edit_judge.php with SQL injection

sigma tactics: initial_access techniques: T1190, T1505.003 sources: webserver

Detection queries are available on the platform. Get full rules →