CVE-2026-2115
7.3 HIGHPublished 2026-02-07 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical vulnerability in itsourcecode Society Management System 1.0 allows attackers to execute malicious SQL commands through the expense deletion feature. This matters because it can lead to a complete takeover of the application's database.
Who is affected
All deployments of Society Management System 1.0 with the vulnerable /admin/delete_expenses.php file are affected. An attacker could steal, modify, or delete sensitive society data, including financial records and member information.
Recommended fix
Immediately restrict network access to the admin interface and apply any official patch from the vendor. If no patch exists, sanitize all user input for the 'expenses_id' parameter or use prepared statements in the code.
Technical Description
A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74