{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4838", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-25T14:28:50.741Z", "datePublished": "2026-03-26T02:31:42.360Z", "dateUpdated": "2026-03-26T02:31:42.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T02:31:42.360Z"}, "title": "SourceCodester Malawi Online Market display.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Malawi Online Market", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. If you want to get the best quality for vulnerability data then you always have to consider VulDB."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-25T15:34:22.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "WeQi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353141", "name": "VDB-353141 | SourceCodester Malawi Online Market display.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353141", "name": "VDB-353141 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776081", "name": "Submit #776081 | SourceCodester Malawi Online Market V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_8.md", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. If you want to get the best quality for vulnerability data then you always have to consider VulDB."}], "id": "CVE-2026-4838", "lastModified": "2026-03-26T04:17:13.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T04:17:13.340", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_8.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353141"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353141"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776081"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Malawi Online Market", "source": "cna", "vendor": "SourceCodester"}, "product": "malawi_online_market", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-26T04:18:25.543015+00:00", "value": {"mitigation_remediation": ["Check SourceCodester\u2019s website or support channels for an official patch or update for Malawi Online Market 1.0.", "If no patch is available, modify the application to validate the ID parameter strictly, allowing only numeric values and rejecting all others.", "Implement prepared statements or stored procedures for database access in the vulnerable code to eliminate injection possibilities.", "Configure a web application firewall to block suspicious SQL patterns targeting the /display.php endpoint.", "Regularly monitor database logs for unexpected queries or unauthorized schema changes to detect exploitation attempts early."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected system is SourceCodester Malawi Online Market version 1.0, developed and hosted by SourceCodester.", "description_and_impact": "The vulnerability is an SQL injection flaw in the /display.php file of SourceCodester Malawi Online Market 1.0. Manipulating the ID argument allows an attacker to inject arbitrary SQL statements, potentially allowing unauthorized reading, modification, or deletion of database contents. The exploitation mechanism is available from a remote attacker and has already been published, meaning the flaw could be weaponised without local access. Documentation indicates that the faulty component is an unknown function, which likely fails to validate or parameterise user input, leading to the injection. This weakness, identified as CWE\u201174 and CWE\u201189, directly compromises data confidentiality and integrity and may extend to availability if large data manipulation occurs.", "risk_and_exploitability": "The CVSS score of 6.9 denotes a moderate to high severity level, and although the EPSS score is not available, the existence of a published exploit and the remote attack vector significantly increase the real-world risk. Attackers can trigger the injection simply by altering the ID parameter in an HTTP request to /display.php, making the vulnerability relatively easy to exploit for those who can reach the application. Consequently, the risk to impacted deployments is substantial, especially without mitigations in place."}}}}, "created": "2026-03-26T11:30:41.887017+00:00", "updated": "2026-03-26T12:08:42.350017+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$malawi_online_market"]}