CVE-2026-2689 - Vulnerability Details

- itsourcecode Event Management System manage_booking.php sql injection

Description

A vulnerability was detected in itsourcecode Event Management System 1.0. Affected is an unknown function of the file /admin/manage_booking.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

Published: 2026-02-19

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A manipulation of the ID argument within /admin/manage_booking.php allows execution of arbitrary SQL statements leading to potential data exfiltration or modification. The flaw can compromise both confidentiality and integrity by exposing sensitive event and booking information or altering database contents. Because the injection occurs at the database layer, the damage can extend to any data stored by the application.

Affected Systems

The vulnerability exists in itsourcecode Event Management System version 1.0, specifically within the manage_booking.php file. The affected function is not publicly named, but the ID parameter is the entry point for exploitation.

Risk and Exploitability

The condition has a CVSS score of 6.9, indicating moderate severity. The EPSS score is less than 1%, suggesting exploitation probability is currently low, but the exploit is publicly available and can be launched from any remote source that can reach the web interface. It is not listed in the CISA KEV catalog, yet the public availability of the exploit emphasizes the need for immediate remediation. The attack vector is inferred to be network‑based, requiring access to the management interface over HTTP/HTTPS.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Event Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:admerc:event_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

Event Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑issued patch or upgrade to a newer release of the Event Management System that resolves the ID injection flaw.
Restrict access to /admin/manage_booking.php so that only authenticated administrators can execute the script, using web‑server authentication or application‑level role checks.
Modify the application code to use prepared statements or bound parameters for the ID argument in manage_booking.php, ensuring proper input sanitization and preventing injection.

Generated by OpenCVE AI on April 18, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ltranquility/CVE/issues/38
https://itsourcecode.com/
https://vuldb.com/?ctiid.346489
https://vuldb.com/?id.346489
https://vuldb.com/?submit.754238

History

Tue, 24 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admerc Admerc event Management System
CPEs		cpe:2.3:a:admerc:event_management_system:1.0:::::::*
Vendors & Products		Admerc Admerc event Management System

Tue, 24 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode event Management System
Vendors & Products		Itsourcecode Itsourcecode event Management System

Thu, 19 Feb 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in itsourcecode Event Management System 1.0. Affected is an unknown function of the file /admin/manage_booking.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
Title		itsourcecode Event Management System manage_booking.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/ltranquility/CVE/issues/38 https://itsourcecode.com/ https://vuldb.com/?ctiid.346489 https://vuldb.com/?id.346489 https://vuldb.com/?submit.754238
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Admerc Event Management System

Itsourcecode Event Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-19T00:32:07.761Z

Updated: 2026-02-24T15:48:58.273Z

Reserved: 2026-02-18T14:16:07.400Z

Link: CVE-2026-2689

Vulnrichment

Updated: 2026-02-24T15:48:51.496Z

NVD

Status : Analyzed

Published: 2026-02-19T07:17:47.447

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2689

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object