CVE-2026-7076
Published: 27 April 2026
Summary
CVE-2026-7076 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7076 is a SQL injection vulnerability in the itsourcecode Courier Management System 1.0, affecting an unknown function within the file /edit_branch.php. The flaw arises from improper handling of the ID argument, allowing attackers to manipulate input and execute arbitrary SQL queries. It has been assigned CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers can exploit this vulnerability without authentication or user interaction by sending crafted requests to the vulnerable endpoint. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as extracting sensitive data, modifying database records, or disrupting service through injected SQL payloads.
Advisories and references, including a GitHub issue at https://github.com/Beatriz-ai-boop/cve/issues/5, the vendor site at https://itsourcecode.com/, and VulDB entries at https://vuldb.com/submit/799546, https://vuldb.com/vuln/359651, and https://vuldb.com/vuln/359651/cti, document the issue but do not specify patches or detailed mitigation steps in the available information.
The vulnerability was published on 2026-04-27, and an exploit has been publicly disclosed, making it readily utilizable by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25754
Vulnerability details
A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The…
more
exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app (/edit_branch.php) directly enables remote exploitation of the application via crafted requests, mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses SQL injection in /edit_branch.php by requiring validation and neutralization of the untrusted ID argument before use in SQL queries.
Requires timely identification, prioritization, and remediation of the specific SQL injection flaw (CVE-2026-7076) in the Courier Management System.
Provides boundary protection at network interfaces to remotely block or detect crafted SQL injection payloads targeting the vulnerable /edit_branch.php endpoint.