{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3153", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-24T20:14:55.479Z", "datePublished": "2026-02-25T05:32:08.264Z", "dateUpdated": "2026-02-25T14:46:50.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T05:32:08.264Z"}, "title": "itsourcecode Document Management System register.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Document Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-24T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-24T21:20:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "XerTheShy (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.347661", "name": "VDB-347661 | itsourcecode Document Management System register.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347661", "name": "VDB-347661 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.758831", "name": "Submit #758831 | itsourcecode Document Management System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/CVE/issues/42", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T14:46:41.295684Z", "id": "CVE-2026-3153", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T14:46:50.679Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3153", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-24T20:14:55.479Z", "datePublished": "2026-02-25T05:32:08.264Z", "dateUpdated": "2026-02-25T14:46:50.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T05:32:08.264Z"}, "title": "itsourcecode Document Management System register.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Document Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-24T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-24T21:20:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "XerTheShy (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.347661", "name": "VDB-347661 | itsourcecode Document Management System register.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347661", "name": "VDB-347661 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.758831", "name": "Submit #758831 | itsourcecode Document Management System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/CVE/issues/42", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3153", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T14:46:41.295684Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T14:46:46.287Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admerc:document_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "2E5624DF-BD1B-45C8-B70F-21BD48027994", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en itsourcecode Document Management System 1.0. Afectada es una funci\u00f3n desconocida del archivo /register.php. Tal manipulaci\u00f3n del argumento Username lleva a inyecci\u00f3n SQL. Es posible lanzar el ataque remotamente. El exploit ha sido revelado al p\u00fablico y puede ser usado."}], "id": "CVE-2026-3153", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-25T06:16:26.767", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ltranquility/CVE/issues/42"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.347661"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.347661"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.758831"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Document Management System", "source": "cna", "vendor": "itsourcecode"}, "product": "document_management_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-04-17T15:24:12.099759+00:00", "value": {"mitigation_remediation": ["Update the Document Management System to a patch that sanitizes the Username input in register.php.", "If a patch is not yet available, restrict external access to the register.php endpoint or enforce authentication before allowing registration attempts.", "Review the source code to ensure that all database interactions use parameterized queries or proper input validation, addressing CWE\u201174 and CWE\u201189 weaknesses."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected system is the itsourcecode Document Management System, specifically version 1.0 as listed by the CNA. No other versions or components are documented as affected.", "description_and_impact": "A flaw exists in the register.php file of itsourcecode Document Management System version 1.0 that allows an attacker to manipulate the Username parameter, resulting in a SQL injection vulnerability. This weakness is identified as CWE\u201174 and CWE\u201189 and can lead to unauthorized access to the database, exposing sensitive data or enabling further compromise within the affected system. The vulnerability is exploitable from outside the internal network, making it a remote attack vector that does not require local privileges.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates medium severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not currently registered in the CISA KEV catalog. Because the attack requires only remote access to the public-facing register.php endpoint, an attacker with internet connectivity could potentially exploit it, especially if the system is not updated to a patched release."}}}}, "created": "2026-02-25T11:34:32.636201+00:00", "updated": "2026-04-17T15:30:06.027519+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$document_management_system"]}