Skip to content
Threat Feed
high advisory

CVE-2026-9526: SQL Injection Vulnerability in itsourcecode Electronic Judging System

A SQL injection vulnerability exists in itsourcecode Electronic Judging System version 1.0, specifically affecting the /admin/edit_team.php file, where an attacker can remotely manipulate the 'num_id' argument to execute arbitrary SQL commands.

A SQL injection vulnerability, identified as CVE-2026-9526, has been discovered in itsourcecode Electronic Judging System version 1.0. This vulnerability specifically affects the /admin/edit_team.php file. By manipulating the num_id argument, a remote attacker can inject arbitrary SQL commands into the application’s database queries. The vulnerability has been made public, increasing the risk of exploitation. This poses a significant threat to organizations using the affected software as it can lead to unauthorized data access, modification, or deletion. The base CVSS v3.1 score is rated as 7.3 (HIGH).

Attack Chain

  1. Attacker identifies a vulnerable instance of itsourcecode Electronic Judging System 1.0.
  2. The attacker crafts a malicious HTTP request targeting the /admin/edit_team.php endpoint.
  3. The attacker injects SQL code into the num_id parameter within the HTTP request’s query string or POST data.
  4. The application fails to properly sanitize the input, allowing the injected SQL code to be passed to the database server.
  5. The database server executes the attacker-controlled SQL code.
  6. The attacker retrieves sensitive information from the database, such as usernames, passwords, or judging data.
  7. The attacker modifies data within the database, potentially altering judging results or compromising user accounts.
  8. The attacker gains complete control over the application and underlying server.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-9526) can lead to severe consequences, including unauthorized access to sensitive judging data, manipulation of results, and complete compromise of the affected system. The number of victims is currently unknown but could impact any organization using the vulnerable version of itsourcecode Electronic Judging System. This could result in significant reputational damage, financial losses, and legal repercussions.

Recommendation

  • Apply appropriate input validation and sanitization to the num_id parameter in /admin/edit_team.php to prevent SQL injection (CVE-2026-9526).
  • Deploy the Sigma rule provided to detect potential exploitation attempts targeting the vulnerable endpoint.
  • Implement a web application firewall (WAF) rule to block requests containing SQL injection payloads directed at /admin/edit_team.php.
  • Restrict access to the /admin/edit_team.php endpoint to authorized personnel only.
  • Monitor web server logs for suspicious activity targeting the /admin/edit_team.php endpoint.

Detection coverage 2

Detects CVE-2026-9526 Exploitation — SQL Injection in Electronic Judging System

high

Detects CVE-2026-9526 exploitation — SQL injection attempts targeting the /admin/edit_team.php endpoint by identifying SQL keywords within the num_id parameter.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detects CVE-2026-9526 Exploitation — Error-Based SQL Injection in Electronic Judging System

high

Detects CVE-2026-9526 exploitation — Error-based SQL injection attempts by identifying common error triggers within the num_id parameter.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →