Cyber Resilience

CVE-2026-7074

Medium

Published: 27 April 2026

Published
27 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7074 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7074 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Construction Management System 1.0. The flaw affects unknown code in the file /execute1.php, where manipulation of the 'code' argument enables SQL injection. Published on 2026-04-27, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. By crafting malicious input for the 'code' argument, attackers can inject SQL payloads, potentially leading to low-level impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor data modification), and availability (e.g., minor service disruption).

Advisories and additional details are documented in references such as the GitHub issue at https://github.com/Beatriz-ai-boop/cve/issues/3, the vendor site at https://itsourcecode.com/, and VulDB entries including https://vuldb.com/submit/799544, https://vuldb.com/vuln/359649, and https://vuldb.com/vuln/359649/cti. The exploit has been publicly disclosed and may be used against vulnerable instances.

EU & UK References

Vulnerability details

A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of the argument code leads to sql injection. The attack may be performed from remote. The exploit has…

more

been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a public-facing web app (/execute1.php) directly enables remote unauthenticated exploitation via T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Itsourcecode
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing the untrusted 'code' argument in /execute1.php before database queries.

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in CVE-2026-7074 through patching or code remediation.

detect

Facilitates detection of the SQL injection vulnerability via regular scanning of the Construction Management System 1.0.

References