Login Sign Up

CVE-2025-10426

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2025-10426 is a SQL injection vulnerability in itsourcecode Online Laundry Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the Username parameter in login.php. This affects all deployments of version 1.0 of this web application. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • itsourcecode Online Laundry Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of version 1.0. The vulnerability is in the core login functionality.

📦 What is this software?

Online Laundry Management System by Campcodes

View all CVEs affecting Online Laundry Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive laundry management data, customer information exposure, and potential system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires no authentication and uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to a different laundry management system or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Input Validation Filter

all

Implement server-side input validation to sanitize the Username parameter.

🧯 If You Can't Patch

  • Isolate the system from the internet and restrict access to internal networks only.
  • Implement strict network segmentation and monitor all access to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Test the login.php endpoint with SQL injection payloads in the Username parameter (e.g., ' OR '1'='1).

Check Version:

Check the application version in the admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts with SQL-like patterns

Network Indicators:

  • HTTP POST requests to /login.php containing SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/login.php" AND (param="Username" AND value MATCHES "(?i)(union|select|or|and|'|--|#)")

📊 Metadata

CVE ID: CVE-2025-10426
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.02% exploit probability (4.7th percentile)
Published: September 15, 2025
Last Updated: September 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10426, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)