Description
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function update_settings_info of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content[] leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-07-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the SourceCodester Multi-Vendor Online Grocery Management System allows attackers to inject arbitrary code by manipulating the content[] argument in the update_settings_info function within SystemSettings.php. This code injection flaw can lead to the execution of malicious code on the server, jeopardizing confidentiality, integrity, and availability of the application and its underlying infrastructure.

Affected Systems

The defect is present in SourceCodester Multi‑Vendor Online Grocery Management System version 1.0. Administrators and authenticated users who have access to the update_settings_info endpoint are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but because the flaw permits remote code injection and has been publicly disclosed, the practical risk is considerably higher. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, yet an attacker with network access can exploit the flaw without any special conditions beyond supplying a crafted content[] payload. The lack of an official patch or mitigation guidance in the public record further amplifies the urgency of addressing this issue.

Generated by OpenCVE AI on July 5, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch that sanitizes the content[] parameter in update_settings_info, or upgrade to a version where the flaw has been fixed.
  • If an immediate patch is not available, disable the update_settings_info endpoint or restrict its use to authenticated administrators only to limit exposure.
  • Implement server‑side validation so that content[] can contain only known, safe configuration values and reject or sanitize any other input.
  • Optionally, configure the web application firewall to block requests that attempt to inject code via the content[] parameter.

Generated by OpenCVE AI on July 5, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function update_settings_info of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content[] leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title SourceCodester Multi-Vendor Online Grocery Management System Setting SystemSettings.php update_settings_info code injection
First Time appeared Sourcecodester
Sourcecodester multi-vendor Online Grocery Management System
Weaknesses CWE-74
CWE-94
CPEs cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester multi-vendor Online Grocery Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Multi-vendor Online Grocery Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-05T01:45:09.015Z

Reserved: 2026-07-04T04:58:54.895Z

Link: CVE-2026-14691

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T07:45:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')