Description
A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-07-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the login functionality of RafyMrX TOKO-ONLINE-ROTI, where manipulating the Username parameter results in an SQL injection. The flaw allows an attacker to craft malicious queries that can read, modify, or delete database contents. This can lead to data compromise or unauthorized user control. The CVSS score of 6.9 signals a medium severity, reflecting the potential for significant impact if exploited.

Affected Systems

The affected product is RafyMrX’s TOKO-ONLINE-ROTI. The description refers to a commit identifier (ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) but no explicit software version numbers are provided, as the vendor follows a rolling release model. Therefore, any instance of the application on this commit or later is potentially vulnerable.

Risk and Exploitability

The EPSS score of less than 1% indicates that the likelihood of public exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an exploit is publicly available, and remote attackers can trigger it by sending crafted requests to the login endpoint. Because the attack vector is over the network and does not require local privilege, it can be performed from anywhere that can reach the web server.

Generated by OpenCVE AI on July 12, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the login endpoint to trusted IP ranges or VPN.
  • Deploy a web application firewall that blocks SQL injection patterns before they reach the application.
  • Update the application code to use prepared statements or parameterized queries for all database interactions.
  • Monitor authentication logs for unusual login attempts and unusual SQL query patterns.

Generated by OpenCVE AI on July 12, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 12 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
Title RafyMrX TOKO-ONLINE-ROTI login.php sql injection
First Time appeared Rafymrx
Rafymrx toko-online-roti
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:rafymrx:toko-online-roti:*:*:*:*:*:*:*:*
Vendors & Products Rafymrx
Rafymrx toko-online-roti
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Rafymrx Toko-online-roti
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-12T09:00:07.002Z

Reserved: 2026-07-11T11:55:01.885Z

Link: CVE-2026-15489

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T22:00:13Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')