CVE-2026-7074
Published: 27 April 2026
Summary
CVE-2026-7074 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7074 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Construction Management System 1.0. The flaw affects unknown code in the file /execute1.php, where manipulation of the 'code' argument enables SQL injection. Published on 2026-04-27, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. By crafting malicious input for the 'code' argument, attackers can inject SQL payloads, potentially leading to low-level impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor data modification), and availability (e.g., minor service disruption).
Advisories and additional details are documented in references such as the GitHub issue at https://github.com/Beatriz-ai-boop/cve/issues/3, the vendor site at https://itsourcecode.com/, and VulDB entries including https://vuldb.com/submit/799544, https://vuldb.com/vuln/359649, and https://vuldb.com/vuln/359649/cti. The exploit has been publicly disclosed and may be used against vulnerable instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25751
Vulnerability details
A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of the argument code leads to sql injection. The attack may be performed from remote. The exploit has…
more
been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a public-facing web app (/execute1.php) directly enables remote unauthenticated exploitation via T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing the untrusted 'code' argument in /execute1.php before database queries.
Mandates identification, reporting, and correction of the specific SQL injection flaw in CVE-2026-7074 through patching or code remediation.
Facilitates detection of the SQL injection vulnerability via regular scanning of the Construction Management System 1.0.