Description
A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-07-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the save_users function of SourceCodester Multi‑Vendor Online Grocery Management System 1.0. This flaw allows a remote attacker to bypass existing authorization checks, enabling creation or modification of user accounts without proper privileges. The weakness falls under CWE‑266 (Improper Privilege Management) and CWE‑285 (Improper Authorization). If exploited, an attacker could gain administrative control over the system, compromise user data, and disrupt operations by altering or deleting critical records.

Affected Systems

SourceCodester Multi‑Vendor Online Grocery Management System version 1.0 is affected. No other product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity risk. With the exploit publicly available and remote exploitation possible, the risk to systems lacking the fix is significant. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting no widespread, time‑sensitive exploitation campaign is known. The likely attack vector is an unauthenticated web request to the save_users endpoint, allowing an attacker to inject malicious user data and elevate privileges.

Generated by OpenCVE AI on July 5, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check SourceCodester website for any available patch or update addressing the improper authorization flaw.
  • Modify the application to enforce role validation on the save_users endpoint, ensuring only users with administrative rights can execute it.
  • Restrict or block external access to the save_users endpoint using firewall rules, a WAF, or network ACLs to limit traffic to trusted IPs only.

Generated by OpenCVE AI on July 5, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title SourceCodester Multi-Vendor Online Grocery Management System Users.php save_users improper authorization
First Time appeared Sourcecodester
Sourcecodester multi-vendor Online Grocery Management System
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester multi-vendor Online Grocery Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Multi-vendor Online Grocery Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-05T01:30:09.372Z

Reserved: 2026-07-04T04:58:52.574Z

Link: CVE-2026-14690

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T12:00:14Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-285

    Improper Authorization