CVE-2026-2117
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical SQL injection flaw exists in the Society Management System 1.0, allowing attackers to manipulate database queries through the activity editing page. This matters because it lets attackers steal or tamper with sensitive society data without needing special access.
Who is affected
All deployments of itsourcecode Society Management System 1.0 with the vulnerable /admin/edit_activity.php file are affected. An attacker could read, modify, or delete database contents, potentially compromising member information and system integrity.
Recommended fix
Immediately restrict network access to the admin interface and apply any official patch from the vendor. If no patch exists, sanitize all user input in the `activity_id` parameter and use prepared statements to fix the SQL injection.
Technical Description
A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74