Description
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection with potential remote exploitation
Action: Patch
AI Analysis

Impact

A flaw in the update_stock.php script of SourceCodester Sales and Inventory System 1.0 allows an attacker to insert arbitrary SQL code through the sid query parameter. The injection can modify, read, or delete database records, thereby compromising the confidentiality and integrity of business data. The vulnerability is classed as a data‑breach risk rather than direct code execution, but the potential for extensive data manipulation makes it a serious threat.

Affected Systems

SourceCodester’s Sales and Inventory System, version 1.0. The flaw resides in the HTTP GET parameter handler for update_stock.php and affects any installation of this version that has not been patched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is publicly disclosed and can be exploited remotely without additional authentication, but it is not listed in the Trusted Exploits catalog. An attacker would typically craft a malicious sid value and send a crafted GET request to the vulnerable endpoint, leading to arbitrary SQL execution against the application’s database.

Generated by OpenCVE AI on April 7, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch or upgrade to a newer version of SourceCodester Sales and Inventory System if one is available.
  • If no patch is available, restrict access to update_stock.php so that only authenticated administrators can reach it.
  • Validate the sid parameter on the server side, ensuring it contains only numeric identifiers and use prepared statements or parameterized queries to build SQL commands.
  • Conduct regular vulnerability scans and monitor application logs for signs of unexpected SQL activity.
  • Stay current with security updates from SourceCodester and maintain a patch management process.

Generated by OpenCVE AI on April 7, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. If you want to get best quality of vulnerability data, you may have to visit VulDB. A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Wed, 25 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Title SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T19:48:07.560Z

Reserved: 2026-03-25T14:04:32.261Z

Link: CVE-2026-4826

cve-icon Vulnrichment

Updated: 2026-04-06T19:48:03.341Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:41.750

Modified: 2026-04-07T18:22:48.663

Link: CVE-2026-4826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:16Z

Weaknesses