Description
A security vulnerability has been detected in SourceCodester Sales and Inventory System 1.0. This issue affects some unknown processing of the file update_customer_details.php of the component HTTP GET Parameter Handler. Such manipulation of the argument sid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-03-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The SourceCodester Sales and Inventory System 1.0 contains an unfiltered GET parameter "sid" in update_customer_details.php that permits an attacker to inject arbitrary SQL statements. By manipulating this argument, an attacker can read, modify, or delete customer records and gain access to sensitive data. The flaw represents a classic input validation weakness classified under both CWE‑74 and CWE‑89.

Affected Systems

The compromised components are limited to the Sales and Inventory System released by SourceCodester, version 1.0. Only the update_customer_details.php script handling the "sid" parameter is affected, and no other versions or downstream releases have been reported as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The description states the attack can be executed remotely; it does not specify that local privileges are required, so it is inferred that reaching the publicly accessible HTTP endpoint is sufficient for exploitation. An attacker would send a crafted GET request to the vulnerable URL, with the injected SQL payload embedded in the sid parameter, without needing authentication or elevated privileges.

Generated by OpenCVE AI on April 7, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check SourceCodester for an official patch or newer release and apply it immediately.
  • If no patch is available, modify the update_customer_details.php script to use parameterized queries for the "sid" value and validate that the input is numeric.
  • Restrict access to update_customer_details.php to authenticated users only and enforce proper authorization checks.
  • Monitor web server logs for suspicious GET requests containing unexpected SQL syntax or abnormal query patterns.

Generated by OpenCVE AI on April 7, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Tue, 24 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SourceCodester Sales and Inventory System 1.0. This issue affects some unknown processing of the file update_customer_details.php of the component HTTP GET Parameter Handler. Such manipulation of the argument sid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title SourceCodester Sales and Inventory System HTTP GET Parameter update_customer_details.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T03:53:05.642Z

Reserved: 2026-03-24T15:11:33.620Z

Link: CVE-2026-4779

cve-icon Vulnrichment

Updated: 2026-03-27T03:53:01.904Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T23:17:12.663

Modified: 2026-04-07T18:20:19.237

Link: CVE-2026-4779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:19Z

Weaknesses