Skip to main content

Electronic Judging System CVE-2026-9383

| EUVD-2026-31595 MEDIUM
SQL Injection (CWE-89)
2026-05-24 VulDB GHSA-f6vh-g669-h27x
PHP SQLi Electronic Judging System
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:05 vuln.today
Severity Changed
May 26, 2026 - 19:37 NVD
HIGH MEDIUM
CVSS changed
May 26, 2026 - 19:37 NVD
7.3 (HIGH) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/admin/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-exposed login page
Delivery
Send crafted POST request with SQL payload in Username
Exploit
Manipulate backend SQL query logic
Execution
Bypass authentication check
Impact
Access admin panel or extract database contents
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable file /intrams/admin/login.php must be network-accessible - CVSS vector AV:N/AC:L/AT:N/PR:N/UI:N confirms no authentication, no user interaction, and no special attack preconditions are required against any network-reachable instance running Electronic Judging System 1.0 in its default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.5 is driven by a maximally accessible attack vector - network-reachable, low complexity, no authentication (PR:N), no user interaction (UI:N) - but is tempered by low-rated impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), suggesting the CVSS model bounds direct impact to partial data exposure rather than full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies an internet-exposed Electronic Judging System 1.0 instance and sends a crafted HTTP POST request to /intrams/admin/login.php with a SQL injection payload in the Username field (e.g., `admin' OR '1'='1' -- `), causing the backend PHP application to construct a query that always evaluates as true and bypasses credential validation. Publicly available exploit code referenced at https://github.com/nidieaaa/test/issues/11 provides a ready-made template, enabling low-skilled threat actors to replicate the attack without deep SQL knowledge. …
Remediation No vendor-released patch has been identified at time of analysis; monitor VulDB (https://vuldb.com/vuln/365346) and itsourcecode (https://itsourcecode.com/) for updates. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-9383 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy