CVE-2026-2161
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical SQL injection vulnerability exists in the Directory Management System's password reset page. Attackers can remotely exploit it by manipulating the email field, potentially gaining unauthorized access to the database.
Who is affected
All users of itsourcecode Directory Management System 1.0 are affected. A successful attacker could steal, modify, or delete sensitive data stored in the application's database.
Recommended fix
Immediately restrict network access to the system and apply any official patch from the vendor. If no patch is available, sanitize all user inputs in the `/admin/forget-password.php` file and use parameterized queries to prevent SQL injection.
Technical Description
A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74