Description
A weakness has been identified in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file update_category.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-03-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection – Data Compromise
Action: Patch Now
AI Analysis

Impact

The vulnerability exists in the update_category.php file of the SourceCodester Sales and Inventory System, where the sid GET parameter is not properly sanitized, allowing a remote attacker to inject arbitrary SQL statements. This can enable unauthorized reading, modification, or deletion of inventory data, resulting in loss of confidentiality and integrity of the business database. The weakness can be mapped to improper handling of HTTP GET parameters (CWE‑74) and dynamic SQL construction (CWE‑89).

Affected Systems

The affected product is SourceCodester Sales and Inventory System version 1.0. The flaw resides in the update_category.php component and is documented for the specific 1.0 release. No other releases are listed as vulnerable in the provided CVE data.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, while an EPSS score of less than 1% indicates a low probability of automated exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed to date. Based on the description, the attack vector is remote via an HTTP GET request manipulating the sid parameter, making the flaw exploitable over the network.

Generated by OpenCVE AI on April 8, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to a version of SourceCodester Sales and Inventory System that addresses the SQL injection flaw, if one is available from the vendor.
  • If no patch is available, restrict access to update_category.php to authenticated and authorized users only, for example by enforcing login checks or using server‑side access controls such as .htaccess rules.
  • Modify the application code to validate and sanitize the sid GET parameter before it is used in any SQL query, preferably by refactoring the code to employ prepared statements or parameterized queries.
  • Deploy a web application firewall (WAF) or equivalent security layer to detect and block malicious SQL injection attempts targeting the sid argument.
  • Monitor web server and application logs for repeated injection attempts against update_category.php and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 8, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 25 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Tue, 24 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file update_category.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title SourceCodester Sales and Inventory System HTTP GET Parameter update_category.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T13:01:48.579Z

Reserved: 2026-03-24T15:11:27.874Z

Link: CVE-2026-4778

cve-icon Vulnrichment

Updated: 2026-03-25T13:01:19.652Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T23:17:12.450

Modified: 2026-04-08T18:43:43.717

Link: CVE-2026-4778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:04:42Z

Weaknesses