CVE-2026-2225 - Vulnerability Details

- itsourcecode News Portal Project Administrator Login index.php sql injection

Description

A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

Published: 2026-02-09

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper handling of the email argument in the Administrator Login component of itsourcecode News Portal Project 1.0. By manipulating the email parameter in /admin/index.php, an attacker can inject arbitrary SQL statements. This flaw permits unauthorized data exfiltration, modification, and deletion, and may serve as a stepping stone to more severe compromises. The weakness corresponds to the SQL injection categories reflected in CWE-74 and CWE-89.

Affected Systems

Affected is itsourcecode News Portal Project update 1.0, the single publicly identified version containing the flaw. The embedded CPE string shows the application is at major version 1.0. No other product variants are listed.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, while the EPSS score of less than 1% signals low current exploitation probability. The vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list. Attackers can trigger the flaw remotely via HTTP requests to the /admin/index.php endpoint, and proof‑of‑concept scripts have already been released. Accordingly, the risk is moderate but warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

News Portal Project

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:clive_21:news_portal_project:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

News Portal Project

—

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy a vendor patch or upgrade to a newer version of the News Portal Project that resolves the SQL injection flaw, when available.
Refactor the application to use parameterized queries or prepared statements for all database interactions, and validate the email input against a strict whitelist.
Restrict administrative access by IP whitelisting, enforce HTTPS, and monitor authentication attempts for suspicious activity.
Enable a web application firewall to detect and block SQL injection patterns.

Generated by OpenCVE AI on April 17, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/wan1yan/cve/issues/2
https://itsourcecode.com/
https://vuldb.com/?ctiid.344942
https://vuldb.com/?id.344942
https://vuldb.com/?submit.753402
https://vuldb.com/?submit.754405

History

Mon, 23 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		https://vuldb.com/?submit.754405

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Clive 21 Clive 21 news Portal Project
CPEs		cpe:2.3:a:clive_21:news_portal_project:1.0:::::::*
Vendors & Products		Clive 21 Clive 21 news Portal Project

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode news Portal Project
Vendors & Products		Itsourcecode Itsourcecode news Portal Project

Mon, 09 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Title		itsourcecode News Portal Project Administrator Login index.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/wan1yan/cve/issues/2 https://itsourcecode.com/ https://vuldb.com/?ctiid.344942 https://vuldb.com/?id.344942 https://vuldb.com/?submit.753402
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Clive 21 News Portal Project

Itsourcecode News Portal Project

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-09T09:02:07.878Z

Updated: 2026-02-23T09:59:20.905Z

Reserved: 2026-02-08T16:06:58.167Z

Link: CVE-2026-2225

Vulnrichment

Updated: 2026-02-09T13:58:03.818Z

NVD

Status : Modified

Published: 2026-02-09T09:16:34.590

Modified: 2026-02-23T11:16:25.357

Link: CVE-2026-2225

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object