A vulnerability exists in the itsourcecode Vehicle Management System 1.0 within an unspecified function of /billaction.php. Manipulation of the ID argument can trigger a SQL injection, allowing an attacker to inject arbitrary SQL statements. The weakness corresponds to Code Injection and improper input handling weaknesses (CWE-74, CWE-89). The impact of successfully exploiting this flaw includes unauthorized data retrieval, modification, or potentially complete database compromise, thereby threatening confidentiality, integrity, and availability of the system's data. The description does not state that the attacker achieves remote code execution, but the injection potential could allow execution of privileged SQL statements that may lead to further exploitation.

The affected product is itsourcecode Vehicle Management System version 1.0. No other versions or subcomponents were explicitly listed; the vulnerability resides in the /billaction.php module of this product.

The reported CVSS score of 6.9 falls in the medium severity range, while the EPSS score of less than 1% indicates a low public exploitation probability at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. According to the description, the attack may be launched remotely via web requests, suggesting that an unauthenticated or authenticated external user can craft a request to the ID parameter. Successful exploitation would allow the attacker to inject SQL commands into the backend database, potentially leading to data exfiltration, corruption, or unauthorized administrative actions. The exploit has been publicly disclosed and is theoretically usable, but the low EPSS suggests limited immediate danger.