Description
GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
Published: 2026-06-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in the scost parameter of the search_products.php script in the Grocery Store Management System. The vulnerable code constructs a database query that directly includes user-supplied input, allowing an attacker to inject arbitrary SQL commands. The result is the ability to read any data reachable by the application’s database account, exposing product inventories, customer records, and sales information. This flaw matches CWE-89 and does not affect application integrity or availability beyond data disclosure.

Affected Systems

The open‑source Grocery Store Management System built with PHP and MySQL, version 1.0, is the affected product. The vulnerability has been identified in the publicly available GitHub repository and specifically in the /grocery/search_products.php endpoint used for product searching.

Risk and Exploitability

The issue carries a CVSS score of 7.7, indicating high severity, and has an EPSS score of < 1%, suggesting a low likelihood of widespread exploitation at this time. It is not listed in the CISA KEV catalog. The attack vector is over the web, with an attacker able to supply a crafted scost parameter when accessing the search functionality. If successful, the attacker can retrieve confidential database contents. While the EPSS score is low, the high CVSS and the nature of the data exposed warrant immediate attention.

Generated by OpenCVE AI on June 26, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the vulnerable query by using a prepared statement or parameterized query that treats the scost value as a bound parameter, preventing SQL syntax modification.
  • Limit the MySQL user privileges for the application to the minimum required, for example granting only SELECT rights on the tables accessed by the product search functionality.
  • Upgrade to the latest release of the Grocery Store Management available.

Generated by OpenCVE AI on June 26, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in Grocery Store Management System via scost Parameter

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Anirudhkannanvp
Anirudhkannanvp grocery Store Management System
Vendors & Products Anirudhkannanvp
Anirudhkannanvp grocery Store Management System

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in Grocery Store Management System via scost Parameter
Weaknesses CWE-89

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
References

Subscriptions

Anirudhkannanvp Grocery Store Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T14:14:25.636Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37149

cve-icon Vulnrichment

Updated: 2026-06-26T14:14:22.058Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')