CVE-2026-9528 - Vulnerability Details

- itsourcecode Electronic Judging System delete_judge.php sql injection

Description

A vulnerability was identified in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /admin/delete_judge.php. Such manipulation of the argument judge_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.

Published: 2026-05-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The delete_judge.php component of itsourcecode's Electronic Judging System 1.0 accepts a judge_id parameter without proper validation, allowing attackers to inject arbitrary SQL code. This flaw stems from a lack of input sanitization (CWE‑74) and unsecured query construction (CWE‑89). The vulnerability can be triggered remotely through crafted HTTP requests, and publicly available exploits demonstrate that the attack can be executed without additional compromise of the host.

Affected Systems

The vulnerability is confined to the 1.0 release of the Electronic Judging System from itsourcecode. It specifically targets the /admin/delete_judge.php script and does not affect other products or versions listed for this vendor.

Risk and Exploitability

With a CVSS score of 6.9, the flaw represents a moderate severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description confirms that the attack vector is remote and that exploits are publicly available, indicating a non‑negligible risk of exploitation especially in environments lacking strict access controls for the administrative interface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Electronic Judging System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Itsourcecode

Electronic Judging System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest patched version of the Electronic Judging System that validates judge_id and uses parameterized queries for database access.
Restrict the /admin/delete_judge.php endpoint so that only authenticated administrators can access it, enforcing strong authentication and authorization checks.
Ensure judge_id is validated to contain only allowable characters (e.g., digits) and that all database interactions use prepared statements or stored procedures to eliminate SQL injection vectors.

Generated by OpenCVE AI on May 26, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/zulu225588/zulu-loudong/issues/4
https://itsourcecode.com/
https://vuldb.com/submit/814738
https://vuldb.com/vuln/365547
https://vuldb.com/vuln/365547/cti

History

Tue, 26 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /admin/delete_judge.php. Such manipulation of the argument judge_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Title		itsourcecode Electronic Judging System delete_judge.php sql injection
First Time appeared		Itsourcecode Itsourcecode electronic Judging System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:itsourcecode:electronic_judging_system::::::::
Vendors & Products		Itsourcecode Itsourcecode electronic Judging System
References		https://github.com/zulu225588/zulu-loudong/issues/4 https://itsourcecode.com/ https://vuldb.com/submit/814738 https://vuldb.com/vuln/365547 https://vuldb.com/vuln/365547/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Electronic Judging System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T04:00:13.417Z

Updated: 2026-05-26T12:26:33.860Z

Reserved: 2026-05-25T19:31:40.073Z

Link: CVE-2026-9528

Vulnrichment

Updated: 2026-05-26T12:26:28.210Z

NVD

Status : Received

Published: 2026-05-26T05:16:18.863

Modified: 2026-05-26T05:16:18.863

Link: CVE-2026-9528

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T07:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object