{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/itsourcecode/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9528"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Electronic Judging System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-9528","itsourcecode"],"_cs_type":"advisory","_cs_vendors":["itsourcecode"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-9528, exists in itsourcecode Electronic Judging System version 1.0. The vulnerability is located in the \u003ccode\u003e/admin/delete_judge.php\u003c/code\u003e file. By manipulating the \u003ccode\u003ejudge_id\u003c/code\u003e argument, a remote attacker can inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly available and might be used, increasing the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of Electronic Judging System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/admin/delete_judge.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003ejudge_id\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003ejudge_id\u003c/code\u003e input before using it in a SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed within the application\u0026rsquo;s database context.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials or judging data.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies database records to manipulate judging outcomes or disrupt system functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to administrative functions or other sensitive system resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary SQL queries, potentially leading to the complete compromise of the application\u0026rsquo;s database. This may result in unauthorized access to sensitive information, data modification, or even complete data loss. Given the nature of the application, attackers could manipulate judging outcomes, leading to unfair or inaccurate results.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ejudge_id\u003c/code\u003e parameter in \u003ccode\u003e/admin/delete_judge.php\u003c/code\u003e to prevent SQL injection (reference CVE-2026-9528).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious requests targeting the \u003ccode\u003e/admin/delete_judge.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for error messages related to SQL queries, which may indicate potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of itsourcecode Electronic Judging System that addresses this vulnerability (if available).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:27:51Z","date_published":"2026-05-26T14:27:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9528-sqli/","summary":"itsourcecode Electronic Judging System 1.0 is vulnerable to SQL injection via the judge_id parameter in /admin/delete_judge.php, allowing remote attackers to execute arbitrary SQL queries.","title":"itsourcecode Electronic Judging System 1.0 SQL Injection Vulnerability (CVE-2026-9528)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9528-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Itsourcecode","version":"https://jsonfeed.org/version/1.1"}