Description
A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The manipulation of the argument pagetitle results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Published: 2026-02-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in itsourcecode News Portal Project allows an attacker to inject arbitrary SQL when the pagetitle parameter in \/admin\/contactus.php is processed. The injection can be executed remotely by manipulating a public URL, and the publicly disclosed exploit demonstrates that the attack can manipulate the underlying database query.

Affected Systems

The vulnerability affects News Portal Project version 1.0 from itsourcecode. Users running this exact release are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while the EPSS score of less than 1% shows a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Because the flaw is triggered by a parameter in a publicly accessible URL, remote web‑based exploitation is the likely attack vector.

Generated by OpenCVE AI on April 18, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any vendor‑issued patch or update for News Portal Project 1.0 as soon as it becomes available.
  • If no patch exists, limit access to \/admin\/contactus.php to authenticated administrative users or move the script outside the web‑accessible directory.
  • Implement input validation and switch to parameterized queries to prevent SQL injection via the pagetitle parameter.

Generated by OpenCVE AI on April 18, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Clive 21
Clive 21 news Portal Project
CPEs cpe:2.3:a:clive_21:news_portal_project:1.0:*:*:*:*:*:*:*
Vendors & Products Clive 21
Clive 21 news Portal Project

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode news Portal Project
Vendors & Products Itsourcecode
Itsourcecode news Portal Project

Wed, 25 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The manipulation of the argument pagetitle results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Title itsourcecode News Portal Project contactus.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Clive 21 News Portal Project
Itsourcecode News Portal Project
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T21:15:54.230Z

Reserved: 2026-02-24T21:55:46.359Z

Link: CVE-2026-3164

cve-icon Vulnrichment

Updated: 2026-02-25T21:15:44.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T06:16:27.180

Modified: 2026-02-25T15:13:13.190

Link: CVE-2026-3164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses