Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13551: SQL Injection in itsourcecode Baptism Information Management System 1.0 (editBaptism.php)
CVE-2026-13551: SQL Injection in itsourcecode Baptism Information Management System 1.0 (editBaptism.php)
SECURITYHIGHCVE-2026-13551

CVE-2026-13551: SQL Injection in itsourcecode Baptism Information Management System 1.0 (editBaptism.php)

A second high-severity SQL injection vulnerability has been disclosed in itsourcecode Baptism Information Management System 1.0, this time affecting the...

Dylan H.

Security Team

June 30, 2026
3 min read

Affected Products

  • itsourcecode Baptism Information Management System 1.0

Overview

A second SQL injection vulnerability, tracked as CVE-2026-13551, has been disclosed in itsourcecode Baptism Information Management System 1.0 — the same PHP web application targeted by CVE-2026-13550. This flaw affects the /editBaptism.php file and allows remote attackers to inject SQL commands through the ID parameter used during record edit operations.

The vulnerability carries a CVSS v3.1 base score of 7.3 (High) and was publicly disclosed on June 29, 2026. Both CVEs were reported on the same date, suggesting a coordinated audit of this application uncovering multiple injection points.

Technical Details

The /editBaptism.php endpoint retrieves a baptism record for editing using an ID parameter supplied via HTTP request. Without proper input sanitization or use of parameterized queries, this parameter is passed directly into a SQL SELECT or UPDATE statement, enabling injection.

Potential impact includes:

  • Unauthorized data retrieval: Exfiltrating sensitive personal records from the database
  • Record tampering: Modifying existing baptism records including names, dates, and personal details
  • Database compromise: Depending on database user privileges, broader access to the underlying database instance
  • Chained exploitation: Combined with CVE-2026-13550 (affecting /delbaptism.php), attackers gain read, write, and delete capabilities across the application

Vulnerability Summary

FieldDetail
CVE IDCVE-2026-13551
CVSS Score7.3 (High)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Affected File/editBaptism.php
Affected ParameterID
Vulnerability TypeSQL Injection (CWE-89)

Relationship to CVE-2026-13550

CVE-2026-13551 and CVE-2026-13550 were disclosed simultaneously and affect the same application version. Together, they indicate a systemic failure in input validation throughout the application — the absence of parameterized queries is likely pervasive across the codebase, not limited to these two files. Organizations should audit all endpoints that accept and process user-supplied ID values.

Affected Products

  • itsourcecode Baptism Information Management System 1.0

Remediation

No vendor patch is available. Apply the following mitigations immediately:

  1. Disable the application from public internet access if not strictly required.
  2. Deploy WAF rules targeting SQL injection patterns on requests to .php endpoints.
  3. Refactor database queries to use prepared statements — both /editBaptism.php and /delbaptism.php must be patched. A full code audit is recommended.
  4. Restrict database permissions: Ensure the application's database user operates with least privilege — no DROP, FILE, or administrative grants.
  5. Enable query logging: Turn on MySQL/MariaDB general query logging temporarily to detect ongoing exploitation attempts.

Indicators of Exploitation

Monitor for the following in web server logs:

  • Requests to /editBaptism.php with ID values containing ', ", --, OR 1=1, UNION SELECT, or similar SQL syntax
  • Encoded payloads: %27, %22, %3B in the ID field
  • High-frequency requests to the edit endpoint from a single source IP

Context

The back-to-back disclosure of two SQL injection flaws in the same application underscores a recurring challenge in the open-source web app ecosystem: many small management systems are built without adhering to secure coding practices. These applications often handle sensitive community data — in this case, religious records — making breaches particularly impactful for affected individuals.

Security researchers and community administrators using such systems should prioritize code audits and consider migrating to actively maintained alternatives with established security track records.


Advisory published by CosmicBytez Labs based on NVD disclosure. See also CVE-2026-13550 for a related SQL injection in the same application.

#CVE#SQL Injection#Vulnerability#NVD#Web Application Security

Related Articles

CVE-2026-13550: SQL Injection in itsourcecode Baptism Information Management System 1.0

A high-severity SQL injection vulnerability has been identified in itsourcecode Baptism Information Management System 1.0, allowing remote attackers to...

3 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read
Back to all Security Alerts