Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13550: SQL Injection in itsourcecode Baptism Information Management System 1.0
CVE-2026-13550: SQL Injection in itsourcecode Baptism Information Management System 1.0
SECURITYHIGHCVE-2026-13550

CVE-2026-13550: SQL Injection in itsourcecode Baptism Information Management System 1.0

A high-severity SQL injection vulnerability has been identified in itsourcecode Baptism Information Management System 1.0, allowing remote attackers to...

Dylan H.

Security Team

June 30, 2026
3 min read

Affected Products

  • itsourcecode Baptism Information Management System 1.0

Overview

A SQL injection vulnerability tracked as CVE-2026-13550 has been disclosed in the itsourcecode Baptism Information Management System 1.0, a PHP-based web application for managing baptism records. The flaw resides in the /delbaptism.php file and allows an unauthenticated or low-privileged remote attacker to inject arbitrary SQL commands via the ID parameter.

The vulnerability received a CVSS v3.1 base score of 7.3 (High), reflecting its remote exploitability and potential for significant data compromise.

Technical Details

The affected endpoint /delbaptism.php accepts an ID parameter as part of a deletion request without adequate input sanitization or parameterized query usage. An attacker can craft a malicious HTTP request to manipulate the underlying SQL query, potentially enabling:

  • Data extraction: Exfiltrating records from the database including personally identifiable information (PII) such as baptism records, names, and contact details
  • Data manipulation: Modifying or deleting database records
  • Authentication bypass: Depending on application configuration, bypassing login mechanisms
  • Database enumeration: Mapping table structures for further exploitation

The exploit has been publicly disclosed, meaning proof-of-concept code may be available, lowering the barrier for exploitation.

Vulnerability Summary

FieldDetail
CVE IDCVE-2026-13550
CVSS Score7.3 (High)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Affected File/delbaptism.php
Affected ParameterID
Vulnerability TypeSQL Injection (CWE-89)

Affected Products

  • itsourcecode Baptism Information Management System 1.0

Deployments of this application — commonly found in parish management, church administration, and community record-keeping scenarios — should be treated as vulnerable until patched or mitigated.

Remediation

No official vendor patch has been announced as of this advisory. Organizations running this software should take the following immediate steps:

  1. Restrict public access: Remove the application from internet-facing exposure if it is not required to be publicly accessible.
  2. Implement a WAF: Deploy a Web Application Firewall with SQL injection rulesets to block malicious input until a patch is available.
  3. Parameterize queries: Developers should refactor affected database calls to use prepared statements with bound parameters, eliminating the injection surface.
  4. Input validation: Add server-side validation to reject non-numeric or unexpected characters in the ID field.
  5. Monitor access logs: Review web server access logs for anomalous requests targeting /delbaptism.php with atypical ID values.

Indicators of Exploitation

Defenders should monitor for HTTP requests matching the following patterns in access logs:

  • Requests to /delbaptism.php containing SQL metacharacters (', ", --, ;, UNION, SELECT)
  • Unusually long or encoded ID parameter values
  • Repeated requests from a single IP targeting the delete endpoint

Context

This vulnerability follows a pattern of SQL injection flaws in open-source PHP-based management systems sourced from code repositories such as itsourcecode.com. These applications are often deployed without security hardening in small organizations, making them targets for automated vulnerability scanners and opportunistic attackers. While the application's niche nature limits its exposure footprint, any deployment containing sensitive personal data warrants prompt remediation.


Advisory published by CosmicBytez Labs based on NVD disclosure. Organizations should verify their exposure and apply mitigations promptly.

#CVE#SQL Injection#Vulnerability#NVD#Web Application Security

Related Articles

CVE-2026-13551: SQL Injection in itsourcecode Baptism Information Management System 1.0 (editBaptism.php)

A second high-severity SQL injection vulnerability has been disclosed in itsourcecode Baptism Information Management System 1.0, this time affecting the...

3 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read
Back to all Security Alerts