Login Sign Up

CVE-2026-3133

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

This SQL injection vulnerability in itsourcecode Document Management System 1.0 allows attackers to manipulate database queries through the login page's username parameter. Remote attackers can potentially execute arbitrary SQL commands, compromising the system. All deployments of version 1.0 with the vulnerable component are affected.

💻 Affected Systems

Products:
  • itsourcecode Document Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /loging.php component specifically. Any deployment with this file accessible is vulnerable.

📦 What is this software?

Document Management System by Admerc

View all CVEs affecting Document Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive documents, user credential theft, and database manipulation leading to data integrity issues.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection via username parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameterized queries or input sanitization to /loging.php to prevent SQL injection

Modify /loging.php to use prepared statements with parameterized queries instead of direct string concatenation

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns in login requests

Add WAF rule: Detect and block SQL keywords (UNION, SELECT, INSERT, etc.) in username parameter

🧯 If You Can't Patch

  • Isolate the Document Management System behind a reverse proxy with strict input validation
  • Implement network segmentation to limit database access from the application server only

🔍 How to Verify

Check if Vulnerable:

Test /loging.php with SQL injection payloads in username parameter (e.g., admin' OR '1'='1)

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or produce no database errors

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts with SQL-like patterns in username field

Network Indicators:

  • HTTP POST requests to /loging.php containing SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri_path="/loging.php" AND (username="*UNION*" OR username="*SELECT*" OR username="*' OR '*"*)

📊 Metadata

CVE ID: CVE-2026-3133
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: February 25, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3133, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)