Overview
A SQL injection vulnerability tracked as CVE-2026-13550 has been disclosed in the itsourcecode Baptism Information Management System 1.0, a PHP-based web application for managing baptism records. The flaw resides in the /delbaptism.php file and allows an unauthenticated or low-privileged remote attacker to inject arbitrary SQL commands via the ID parameter.
The vulnerability received a CVSS v3.1 base score of 7.3 (High), reflecting its remote exploitability and potential for significant data compromise.
Technical Details
The affected endpoint /delbaptism.php accepts an ID parameter as part of a deletion request without adequate input sanitization or parameterized query usage. An attacker can craft a malicious HTTP request to manipulate the underlying SQL query, potentially enabling:
- Data extraction: Exfiltrating records from the database including personally identifiable information (PII) such as baptism records, names, and contact details
- Data manipulation: Modifying or deleting database records
- Authentication bypass: Depending on application configuration, bypassing login mechanisms
- Database enumeration: Mapping table structures for further exploitation
The exploit has been publicly disclosed, meaning proof-of-concept code may be available, lowering the barrier for exploitation.
Vulnerability Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-13550 |
| CVSS Score | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected File | /delbaptism.php |
| Affected Parameter | ID |
| Vulnerability Type | SQL Injection (CWE-89) |
Affected Products
- itsourcecode Baptism Information Management System 1.0
Deployments of this application — commonly found in parish management, church administration, and community record-keeping scenarios — should be treated as vulnerable until patched or mitigated.
Remediation
No official vendor patch has been announced as of this advisory. Organizations running this software should take the following immediate steps:
- Restrict public access: Remove the application from internet-facing exposure if it is not required to be publicly accessible.
- Implement a WAF: Deploy a Web Application Firewall with SQL injection rulesets to block malicious input until a patch is available.
- Parameterize queries: Developers should refactor affected database calls to use prepared statements with bound parameters, eliminating the injection surface.
- Input validation: Add server-side validation to reject non-numeric or unexpected characters in the
IDfield. - Monitor access logs: Review web server access logs for anomalous requests targeting
/delbaptism.phpwith atypicalIDvalues.
Indicators of Exploitation
Defenders should monitor for HTTP requests matching the following patterns in access logs:
- Requests to
/delbaptism.phpcontaining SQL metacharacters (',",--,;,UNION,SELECT) - Unusually long or encoded
IDparameter values - Repeated requests from a single IP targeting the delete endpoint
Context
This vulnerability follows a pattern of SQL injection flaws in open-source PHP-based management systems sourced from code repositories such as itsourcecode.com. These applications are often deployed without security hardening in small organizations, making them targets for automated vulnerability scanners and opportunistic attackers. While the application's niche nature limits its exposure footprint, any deployment containing sensitive personal data warrants prompt remediation.
Advisory published by CosmicBytez Labs based on NVD disclosure. Organizations should verify their exposure and apply mitigations promptly.