Description
Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.
Published: 2026-04-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Grocery Store Management System 1.0 allows attackers to inject arbitrary SQL through the sitem_name POST parameter sent to /Grocery/search_products_itname.php. The unvalidated input can bypass database filtering, enabling attackers to read, modify, or delete data in the underlying database. This weakness corresponds to the classic SQL Injection vulnerability (CWE-89) and can lead to confidentiality and integrity compromises for the application's data.

Affected Systems

The affected product is the Grocery Store Management System 1.0 developed by anirudhkannan. The vulnerability exists in the /Grocery/search_products_itname.php component, which processes POST requests from users searching for products by name.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of risk, with a high likelihood that attackers can exploit this flaw remotely by sending crafted POST requests to the vulnerable endpoint. The lack of available EPSS data means the exploit probability is not quantified, but the absence of a KEV listing does not reduce the potential for abuse. Given that the input parameter is accessible without special permissions, the vulnerability can be leveraged by unauthenticated users to extract or manipulate database contents.

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade to a fixed version of the Grocery Store Management System (if available).
  • If a patch is not available, modify the application to use parameterized queries or properly escape the sitem_name input before including it in SQL statements.
  • Restrict access to the /Grocery/search_products_itname.php endpoint to authenticated or trusted users only.
  • Implement web‐application firewall rules to detect and block common SQL injection patterns targeting the sitem_name parameter.

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Anirudhkannanvp
Anirudhkannanvp grocery Store Management System
Vendors & Products Anirudhkannanvp
Anirudhkannanvp grocery Store Management System

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Grocery Store Management System via search_products_itname.php
Weaknesses CWE-89

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N'}

Subscriptions

Anirudhkannanvp Grocery Store Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:53:49.359Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63939

cve-icon Vulnrichment

Updated: 2026-04-14T17:53:42.421Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:33.660

Modified: 2026-04-14T18:16:40.807

Link: CVE-2025-63939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:17Z

Weaknesses