{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5681", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-06T09:52:04.455Z", "datePublished": "2026-04-06T19:15:12.127Z", "dateUpdated": "2026-04-06T19:15:12.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T19:15:12.127Z"}, "title": "itsourcecode sanitize or validate this input Parameter borrowedequip.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "sanitize or validate this input", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-06T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-06T11:57:08.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "lllyyy123 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355508", "name": "VDB-355508 | itsourcecode sanitize or validate this input Parameter borrowedequip.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355508/cti", "name": "VDB-355508 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792688", "name": "Submit #792688 | itsourcecode Construction Management System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/submit/issues/6", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used."}], "id": "CVE-2026-5681", "lastModified": "2026-04-06T20:16:28.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:28.997", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/ltranquility/submit/issues/6"}, {"source": "cna@vuldb.com", "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792688"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355508"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355508/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sanitize or validate this input", "source": "cna", "vendor": "itsourcecode"}, "product": "sanitize_or_validate_this_input", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-04-07T02:28:45.222427+00:00", "value": {"mitigation_remediation": ["Check for and apply any vendor patches or updates for the itsourcecode sanitize or validate this input component.", "Validate the emp_id parameter to accept only expected numeric values.", "Refactor database interactions to use parameterized queries or stored procedures to eliminate direct concatenation of user input.", "Limit the database user\u2019s privileges to the minimum necessary for application operations.", "Enable logging and monitoring for suspicious SQL activity and review logs regularly."], "summary": {"action": "Patch ASAP", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is itsourcecode sanitize or validate this input version 1.0, specifically the borrowedequip.php file within the Parameter Handler module. Administrators deploying this component should verify whether their installations include this vulnerable code. No vendor patch or specific affected version range is published, so users should check for updates or vendor advisories.", "description_and_impact": "A flaw was discovered in the itsourcecode sanitize or validate this input 1.0 component that handles /borrowedequip.php. The flaw resides in the emp_id parameter, which can be manipulated to inject arbitrary SQL statements into the database query. Attackers able to supply malicious content can execute arbitrary SELECT, UPDATE, DELETE, or INSERT commands, potentially exposing sensitive data, altering inventory records, or disrupting operations. The vulnerability stems from improper input sanitization (CWE\u201174) and improper neutralization of special elements used in an SQL command (CWE\u201189).", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack is feasible remotely, as the vulnerability is triggered by manipulating a user-controllable parameter sent via HTTP. Published exploits suggest that attackers can already exploit the issue, raising the likelihood of real-world impact. Until a vendor fix is released, the risk remains moderate to high depending on the application's role in handling confidential data."}}}}, "created": "2026-04-07T06:54:27.794328+00:00", "updated": "2026-04-07T09:37:30.210247+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$sanitize_or_validate_this_input"]}