Description
GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
Published: 2026-06-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The application contains an SQL injection vulnerability in the scost parameter of /grocery/search_products.php. An attacker can craft a malicious query that bypasses normal controls and extracts sensitive data from the database, such as product inventory, customer records, and sales logs. This flaw allows unauthorized read access and matches CWE-89. No impact on integrity or availability is reported.

Affected Systems

The affected product is the Grocery Store Management System using PHP and MySQL, version 1.0, as released in the public GitHub repository. The vulnerability is present in the search_products.php script, which handles user input for product searches.

Risk and Exploitability

The vulnerability is exploitable over the web via the scost parameter, and attackers can construct SQL payloads when accessing the search functionality. No EPSS score is available, and the issue is not listed in CISA KEV, suggesting no confirmed widespread exploitation yet. However, SQL injection remains a high risk attack vector; if an attacker can reach the web application, they can trigger the flaw and obtain confidential data.

Generated by OpenCVE AI on June 25, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • or upgrade to the latest released version of the Grocery Store Management System that addresses the SQL injection flaw in search_products.php.
  • Replace the current query handling for the scost parameter with a prepared statement or parameterized query to ensure user input cannot alter SQL syntax.
  • Restrict the MySQL account used by the application to the minimum privileges required (e.g., SELECT only on necessary tables) to limit the damage potential if an injection succeeds.

Generated by OpenCVE AI on June 25, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Anirudhkannanvp
Anirudhkannanvp grocery Store Management System
Vendors & Products Anirudhkannanvp
Anirudhkannanvp grocery Store Management System

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in Grocery Store Management System via scost Parameter
Weaknesses CWE-89

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
References

Subscriptions

Anirudhkannanvp Grocery Store Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T14:14:25.636Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37149

cve-icon Vulnrichment

Updated: 2026-06-26T14:14:22.058Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:00:17Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')