Overview
A second SQL injection vulnerability, tracked as CVE-2026-13551, has been disclosed in itsourcecode Baptism Information Management System 1.0 — the same PHP web application targeted by CVE-2026-13550. This flaw affects the /editBaptism.php file and allows remote attackers to inject SQL commands through the ID parameter used during record edit operations.
The vulnerability carries a CVSS v3.1 base score of 7.3 (High) and was publicly disclosed on June 29, 2026. Both CVEs were reported on the same date, suggesting a coordinated audit of this application uncovering multiple injection points.
Technical Details
The /editBaptism.php endpoint retrieves a baptism record for editing using an ID parameter supplied via HTTP request. Without proper input sanitization or use of parameterized queries, this parameter is passed directly into a SQL SELECT or UPDATE statement, enabling injection.
Potential impact includes:
- Unauthorized data retrieval: Exfiltrating sensitive personal records from the database
- Record tampering: Modifying existing baptism records including names, dates, and personal details
- Database compromise: Depending on database user privileges, broader access to the underlying database instance
- Chained exploitation: Combined with CVE-2026-13550 (affecting
/delbaptism.php), attackers gain read, write, and delete capabilities across the application
Vulnerability Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-13551 |
| CVSS Score | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected File | /editBaptism.php |
| Affected Parameter | ID |
| Vulnerability Type | SQL Injection (CWE-89) |
Relationship to CVE-2026-13550
CVE-2026-13551 and CVE-2026-13550 were disclosed simultaneously and affect the same application version. Together, they indicate a systemic failure in input validation throughout the application — the absence of parameterized queries is likely pervasive across the codebase, not limited to these two files. Organizations should audit all endpoints that accept and process user-supplied ID values.
Affected Products
- itsourcecode Baptism Information Management System 1.0
Remediation
No vendor patch is available. Apply the following mitigations immediately:
- Disable the application from public internet access if not strictly required.
- Deploy WAF rules targeting SQL injection patterns on requests to
.phpendpoints. - Refactor database queries to use prepared statements — both
/editBaptism.phpand/delbaptism.phpmust be patched. A full code audit is recommended. - Restrict database permissions: Ensure the application's database user operates with least privilege — no
DROP,FILE, or administrative grants. - Enable query logging: Turn on MySQL/MariaDB general query logging temporarily to detect ongoing exploitation attempts.
Indicators of Exploitation
Monitor for the following in web server logs:
- Requests to
/editBaptism.phpwithIDvalues containing',",--,OR 1=1,UNION SELECT, or similar SQL syntax - Encoded payloads:
%27,%22,%3Bin theIDfield - High-frequency requests to the edit endpoint from a single source IP
Context
The back-to-back disclosure of two SQL injection flaws in the same application underscores a recurring challenge in the open-source web app ecosystem: many small management systems are built without adhering to secure coding practices. These applications often handle sensitive community data — in this case, religious records — making breaches particularly impactful for affected individuals.
Security researchers and community administrators using such systems should prioritize code audits and consider migrating to actively maintained alternatives with established security track records.
Advisory published by CosmicBytez Labs based on NVD disclosure. See also CVE-2026-13550 for a related SQL injection in the same application.