CVE-2026-7077
Published: 27 April 2026
Summary
CVE-2026-7077 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7077 is a SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Courier Management System version 1.0. The affected component is an unknown function within the file /edit_parcel.php, where manipulation of the ID argument triggers the injection.
The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), allowing limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories referenced in VulDB entries (e.g., vuln/359652) and a GitHub issue detail the vulnerability, confirming that a public exploit is available and might be used. The vendor site at itsourcecode.com is listed among references for further context.
The exploit's public availability heightens the risk of real-world usage against exposed instances of the Courier Management System 1.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25759
Vulnerability details
A vulnerability was identified in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is…
more
publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/edit_parcel.php) allows remote unauthenticated exploitation with limited data impacts, directly enabling T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user inputs like the ID argument in /edit_parcel.php to prevent SQL injection exploitation.
Mandates timely identification and remediation of flaws such as the SQL injection vulnerability in CVE-2026-7077.
Requires vulnerability scanning to identify SQL injection vulnerabilities like the one in the Courier Management System's edit_parcel.php.