Plattform
php
Komponente
itsourcecode-construction-management-system
Behoben in
1.0.1
CVE-2026-5675 describes a SQL Injection vulnerability discovered in the itsourcecode Construction Management System, specifically impacting versions 1.0.0 through 1.0. This flaw resides within the parameter handler of the /borrowed_tool.php file, allowing attackers to manipulate the emp argument. Successful exploitation could lead to unauthorized data access and modification, highlighting the need for immediate remediation.
The SQL Injection vulnerability in itsourcecode Construction Management System allows an attacker to inject arbitrary SQL code into database queries. This can lead to a wide range of malicious activities, including unauthorized access to sensitive data such as user credentials, financial records, and project details. An attacker could potentially modify or delete data, leading to data integrity issues and operational disruptions. Given the public availability of the exploit, the risk of exploitation is significant. The potential blast radius extends to any data stored within the system's database, making it a critical security concern.
The exploit for CVE-2026-5675 has been publicly disclosed, increasing the likelihood of exploitation. It is currently not listed on CISA KEV, and an EPSS score is pending. The public availability of the exploit means that attackers with varying skill levels can potentially leverage this vulnerability. Monitoring for exploitation attempts is highly recommended.
Organizations utilizing itsourcecode Construction Management System, particularly those with publicly accessible instances and those lacking robust input validation or WAF protection, are at significant risk. Companies relying on the system for critical project management data are especially vulnerable to data breaches and operational disruption.
• php / web:
curl -s -X POST -d "emp=<malicious_sql>" http://your-server.com/borrowed_tool.php | grep -i "error"• generic web:
curl -I http://your-server.com/borrowed_tool.php?emp=<test_sql>• generic web: Examine access logs for requests to /borrowed_tool.php containing suspicious SQL syntax in the 'emp' parameter.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5675 is to upgrade to a patched version of itsourcecode Construction Management System as soon as it becomes available. In the absence of a patch, implement temporary workarounds to reduce the attack surface. These include deploying a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the /borrowed_tool.php endpoint. Input validation on the emp parameter is also crucial, ensuring that only expected data types and formats are accepted. Regularly review and harden database user permissions to limit the impact of a successful attack.
Aktualisieren Sie das itsourcecode Construction Management System auf eine korrigierte Version. Überprüfen und bereinigen Sie die Benutzereingabe in der Datei borrowed_tool.php, um (SQL Injection) zu verhindern. Implementieren Sie geeignete Validierung und Maskierung für die vom Benutzer bereitgestellten Daten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5675 is a SQL Injection vulnerability affecting itsourcecode Construction Management System versions 1.0.0–1.0, allowing attackers to inject malicious SQL code through the 'emp' parameter in /borrowed_tool.php.
If you are running itsourcecode Construction Management System version 1.0.0–1.0 and have not applied a patch, you are potentially vulnerable to this SQL Injection attack.
The recommended fix is to upgrade to a patched version of itsourcecode Construction Management System. Until a patch is available, implement WAF rules and input validation as temporary mitigations.
Yes, an exploit for CVE-2026-5675 is publicly available, indicating a high likelihood of active exploitation.
Please refer to the itsourcecode website or security advisories for the official advisory regarding CVE-2026-5675.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.