CVE-2026-10809 - Vulnerability Details

- itsourcecode Fees Management System manage_user.php sql injection

Description

A security flaw has been discovered in itsourcecode Fees Management System 1.0. This impacts an unknown function of the file /manage_user.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Published: 2026-06-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was identified in the itsourcecode Fees Management System version 1.0 affecting the /manage_user.php script. By manipulating the ID argument, an attacker can inject arbitrary SQL statements, leading to unauthorized data exposure, modification, or deletion. The weakness stems from insufficient input validation, corresponding to CWE‑74 (Injection of unintended operators) and CWE‑89 (Improper Neutralization of Special Elements used in a SQL context). The flaw enables remote exploitation through the web interface.

Affected Systems

The vulnerability exists in itsourcecode's Fees Management System, specifically in the manage_user.php component of version 1.0. No other versions or components are listed as affected, and the vendor is itsourcecode. The product is accessed via the web, so the attack surface is the web server hosting the application.

Risk and Exploitability

With a CVSS base score of 5.3, the impact is considered moderate. The EPSS score is not provided, but the CVE notes that a public exploit has been released, indicating the potential for real‑world attacks. The vulnerability is not yet flagged in CISA's KEV catalog. Exploitation requires only remote access to the web interface and does not require local privilege escalation. Given the moderate severity and the availability of public exploits, administrators should treat this as a significant risk that could lead to data compromise if left unmitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Fees Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Itsourcecode

Fees Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official patch or upgrade to a version of itsourcecode Fees Management System that addresses the SQL injection in manage_user.php.
Restrict access to the /manage_user.php endpoint to administrators only by configuring web‑server authentication, firewall rules, or IP‑based restrictions.
Implement strict input validation for the ID parameter, allowing only numeric values of expected length, and replace any concatenated SQL statements with parameterized queries or stored procedures.

Generated by OpenCVE AI on June 4, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.002.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/jocker-king253/cve/issues/1
https://itsourcecode.com/
https://vuldb.com/cve/CVE-2026-10809
https://vuldb.com/submit/834180
https://vuldb.com/vuln/368257
https://vuldb.com/vuln/368257/cti

History

Thu, 04 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in itsourcecode Fees Management System 1.0. This impacts an unknown function of the file /manage_user.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Title		itsourcecode Fees Management System manage_user.php sql injection
First Time appeared		Itsourcecode Itsourcecode fees Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:itsourcecode:fees_management_system::::::::
Vendors & Products		Itsourcecode Itsourcecode fees Management System
References		https://github.com/jocker-king253/cve/issues/1 https://itsourcecode.com/ https://vuldb.com/cve/CVE-2026-10809 https://vuldb.com/submit/834180 https://vuldb.com/vuln/368257 https://vuldb.com/vuln/368257/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Fees Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-04T13:00:11.451Z

Updated: 2026-06-04T13:53:14.186Z

Reserved: 2026-06-04T05:18:35.481Z

Link: CVE-2026-10809

Vulnrichment

Updated: 2026-06-04T13:52:59.486Z

NVD

Status : Deferred

Published: 2026-06-04T14:16:37.203

Modified: 2026-06-04T14:41:25.017

Link: CVE-2026-10809

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object