CVE-2026-0582 identifies a SQL injection vulnerability in the itsourcecode Society Management System version 1.0, specifically within the /admin/edit_activity_query.php file. The vulnerability is triggered by manipulation of the 'Title' parameter, which is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially leading to unauthorized access, data leakage, data modification, or deletion within the backend database. The attack vector is network-based (AV:N), requiring no user interaction (UI:N) and no privileges (PR:L, meaning low privileges are sufficient), making it relatively easy to exploit. The vulnerability impacts confidentiality, integrity, and availability, though the impact is limited to low-level privileges and low scope change, reflected in the CVSS 4.0 score of 5.3 (medium severity). No patches or fixes have been published yet, and while no active exploitation has been reported, a public exploit is available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is used for managing society or community activities, making it a critical concern for organizations relying on this software for administrative functions.

For European organizations using the itsourcecode Society Management System 1.0, this vulnerability poses a significant risk of unauthorized data access and manipulation. Exploitation could lead to exposure of sensitive community or membership data, undermining privacy and compliance with regulations such as GDPR. Data integrity could be compromised, affecting trustworthiness of records and operational decisions. Availability may also be impacted if attackers execute destructive SQL commands or cause database corruption. The medium severity indicates moderate but tangible risk, especially for organizations with limited security controls or those exposing the administrative interface to the internet. The presence of a public exploit increases the likelihood of attack attempts, potentially leading to data breaches, reputational damage, and regulatory penalties within Europe. Organizations managing community data in sectors such as local governments, social clubs, or non-profits are particularly at risk.

1. Immediately restrict access to the /admin/edit_activity_query.php endpoint using network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Implement strict input validation and sanitization on the 'Title' parameter to prevent injection of malicious SQL code. 3. Refactor the application code to use parameterized queries or prepared statements instead of dynamic SQL concatenation. 4. Conduct a thorough code review of the entire application to identify and remediate similar injection points. 5. Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 6. If possible, isolate the database with least privilege principles to limit the damage scope if exploited. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability. 8. Educate administrators on the risks of exposing administrative interfaces publicly and enforce strong authentication and authorization controls. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting this parameter.