CVE-2026-2865 - Vulnerability Details

- itsourcecode Agri-Trading Online Shopping System HTTP POST Request productcontroller.php sql injection

Description

A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Published: 2026-02-21

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability resides in the admin/productcontroller.php component of the Agri‑Trading Online Shopping System. By sending a specially crafted POST request that manipulates the Product parameter, an attacker can inject arbitrary SQL commands into the database. The exploit is accessible from outside the network and has been made public, meaning that an unauthenticated user can gain unauthorized read or write access to the database, potentially exposing sensitive user data or modifying transaction records.

Affected Systems

The affected product is itsourcecode Agri‑Trading Online Shopping System, version 1.0, as identified by the vendor and CPE string cpe:2.3:a:adonesevangelista:agri-trading_online_shopping_system:1.0. No other versions or products are listed as vulnerable in the provided data.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates medium to high severity, but the EPSS score of less than 1% suggests a low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is remote. The public nature of the exploit further raises the risk that skilled adversaries could target the system for data compromise or tampering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Agri-Trading Online Shopping System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:adonesevangelista:agri-trading_online_shopping_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

Agri-trading Online Shopping System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑issued patch or upgrade to a later version of the Agri‑Trading Online Shopping System that addresses the SQL injection in productcontroller.php.
If a patch is not yet available, reinforce the request handling with strict input validation and use parameterized queries or prepared statements to prevent injection of malicious SQL fragments.
Implement a web application firewall or equivalent filtering to block suspicious POST requests targeting the Product parameter and monitor the application logs for repeated injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/wan1yan/cve/issues/3
https://itsourcecode.com/
https://vuldb.com/?ctiid.347104
https://vuldb.com/?id.347104
https://vuldb.com/?submit.754556

History

Thu, 26 Feb 2026 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adonesevangelista Adonesevangelista agri-trading Online Shopping System
CPEs		cpe:2.3:a:adonesevangelista:agri-trading_online_shopping_system:1.0:::::::*
Vendors & Products		Adonesevangelista Adonesevangelista agri-trading Online Shopping System

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode agri-trading Online Shopping System
Vendors & Products		Itsourcecode Itsourcecode agri-trading Online Shopping System

Sat, 21 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Title		itsourcecode Agri-Trading Online Shopping System HTTP POST Request productcontroller.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/wan1yan/cve/issues/3 https://itsourcecode.com/ https://vuldb.com/?ctiid.347104 https://vuldb.com/?id.347104 https://vuldb.com/?submit.754556
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Adonesevangelista Agri-trading Online Shopping System

Itsourcecode Agri-trading Online Shopping System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-21T07:32:09.922Z

Updated: 2026-02-23T19:42:30.082Z

Reserved: 2026-02-20T14:19:18.098Z

Link: CVE-2026-2865

Vulnrichment

Updated: 2026-02-23T19:42:23.740Z

NVD

Status : Analyzed

Published: 2026-02-21T08:16:12.643

Modified: 2026-02-26T02:44:11.090

Link: CVE-2026-2865

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object