Skip to content
Threat Feed
high advisory

itsourcecode Electronic Judging System 1.0 SQL Injection Vulnerability (CVE-2026-9528)

itsourcecode Electronic Judging System 1.0 is vulnerable to SQL injection via the judge_id parameter in /admin/delete_judge.php, allowing remote attackers to execute arbitrary SQL queries.

A SQL injection vulnerability, identified as CVE-2026-9528, exists in itsourcecode Electronic Judging System version 1.0. The vulnerability is located in the /admin/delete_judge.php file. By manipulating the judge_id argument, a remote attacker can inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly available and might be used, increasing the risk of exploitation.

Attack Chain

  1. The attacker identifies an instance of Electronic Judging System 1.0.
  2. The attacker crafts a malicious HTTP request targeting the /admin/delete_judge.php endpoint.
  3. The request includes a manipulated judge_id parameter containing SQL injection payloads.
  4. The application fails to properly sanitize the judge_id input before using it in a SQL query.
  5. The injected SQL code is executed within the application’s database context.
  6. The attacker extracts sensitive information from the database, such as user credentials or judging data.
  7. The attacker modifies database records to manipulate judging outcomes or disrupt system functionality.
  8. The attacker gains unauthorized access to administrative functions or other sensitive system resources.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary SQL queries, potentially leading to the complete compromise of the application’s database. This may result in unauthorized access to sensitive information, data modification, or even complete data loss. Given the nature of the application, attackers could manipulate judging outcomes, leading to unfair or inaccurate results.

Recommendation

  • Apply input validation and sanitization to the judge_id parameter in /admin/delete_judge.php to prevent SQL injection (reference CVE-2026-9528).
  • Deploy the provided Sigma rule to detect suspicious requests targeting the /admin/delete_judge.php endpoint.
  • Monitor web server logs for error messages related to SQL queries, which may indicate potential exploitation attempts.
  • Upgrade to a patched version of itsourcecode Electronic Judging System that addresses this vulnerability (if available).

Detection coverage 2

Detect CVE-2026-9528 Exploitation Attempt - SQL Injection in judge_id

high

Detects potential exploitation attempts of CVE-2026-9528 by monitoring HTTP requests to /admin/delete_judge.php with suspicious SQL injection payloads in the judge_id parameter.

sigma tactics: initial_access techniques: T1190, T1595.002 sources: webserver

Detect CVE-2026-9528 Exploitation Attempt - Common SQL Injection Payloads

medium

Detects CVE-2026-9528 exploitation — HTTP requests to /admin/delete_judge.php containing common SQL injection keywords in the judge_id parameter.

sigma tactics: initial_access techniques: T1190, T1595.002 sources: webserver

Detection queries are available on the platform. Get full rules →