Description
A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-02-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL injection enabling arbitrary database queries and potential data exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection discovered in the "/admin/accepted-appointment.php" script of PHPGurukul Beauty Parlour Management System. A malicious user can manipulate the "delid" argument in a request to inject arbitrary SQL commands into the backend query. This flaw permits the attacker to read, modify, or delete database records, potentially exposing customer information or allowing the creation of privileged accounts. The description notes that the attack may be launched remotely and that a public exploit is available, indicating that any user with web access to the affected endpoint could exploit the flaw without additional collateral damage.

Affected Systems

The affected product is PHPGurukul Beauty Parlour Management System, version 1.1. No other versions or additional vendors are listed, so remediation efforts should focus on this specific build.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity that includes potential impact on confidentiality and integrity. The EPSS score of less than 1% suggests that, at present, exploitation is unlikely to be widespread, but the public availability of an exploit means the vulnerability should not be ignored. Because the flaw is exploitable remotely via a web request, attackers with network access to the application can attempt exploitation with minimal effort. The system is not listed in the CISA KEV catalog, which does not indicate current high-profile exploitation, but the presence of a known vulnerability remains a significant concern for administrators.

Generated by OpenCVE AI on April 17, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch or upgrade to a newer release of the Beauty Parlour Management System that addresses the SQL injection in accepted-appointment.php.
  • If a patch is not yet available, tightly restrict access to /admin/accepted-appointment.php to authenticated administrators and sanitize or parameterize the "delid" input to prevent injected SQL code from being executed.
  • Deploy a web application firewall or monitor database activity for anomalous queries, and consider disabling remote access to admin interfaces until the issue is resolved.

Generated by OpenCVE AI on April 17, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 21 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:beauty_parlour_management_system:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:beauty_parlour_management_system:1.1:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul beauty Parlour Management System
Vendors & Products Phpgurukul
Phpgurukul beauty Parlour Management System

Sat, 07 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul Beauty Parlour Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:32:38.171Z

Reserved: 2026-02-06T08:24:05.325Z

Link: CVE-2026-2088

cve-icon Vulnrichment

Updated: 2026-02-10T15:53:28.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T15:15:57.753

Modified: 2026-02-10T14:54:32.743

Link: CVE-2026-2088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses