Description
A weakness has been identified in PHPGurukul Online Shopping Portal Project 2.1. This issue affects some unknown processing of the file /sub-category.php of the component Parameter Handler. This manipulation of the argument pid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

The target vulnerability resides in the /sub‑category.php page of the PHPGurukul Online Shopping Portal Project, where the pid request argument is concatenated into an SQL statement without sanitization. An attacker can supply a crafted pid value in a URL query string or form field, causing the application to execute arbitrary SQL commands on the database. This yields unauthorized read, modify, or delete access to the underlying data. Because no user authentication or additional checks are required to reach the vulnerable code, an unauthenticated attacker can obtain the full benefit of the injection.

Affected Systems

Any installation of PHPGurukul Online Shopping Portal Project version 2.1 that exposes the /sub‑category.php endpoint and uses the Parameter Handler component is potentially compromised. The vendor listing does not extend beyond the 2.1 release, so earlier or later versions are not implied to be affected unless they contain identical code paths.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity. EPSS information is unavailable, and the issue is not present in the CISA KEV catalogue, yet a public exploit has been released, proving real‑world exploitability. Based on the description, the likely attack vector is a remote HTTP request to the exposed /sub‑category.php page, which can be delivered via web browsers or automated scripts. Successful exploitation can disrupt the confidentiality, integrity, and availability of the database while exposing sensitive customer data.

Generated by OpenCVE AI on April 5, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑issued patch or upgrade the PHPGurukul Online Shopping Portal Project to a fixed version.
  • If a patch is not yet available, restrict public access to the /sub‑category.php resource or move the script outside the web root until the flaw is addressed.
  • Refactor the handling of the pid parameter to enforce strict type validation and employ prepared statements or parameterized queries to prevent SQL injection.
  • Configure the database account used by the application with the minimum privileges required for normal operation to limit damage if the injection succeeds.
  • Deploy a web application firewall or intrusion detection system tuned to block SQL injection patterns targeting the pid parameter.
  • Monitor database logs for anomalous activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 5, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in PHPGurukul Online Shopping Portal Project 2.1. This issue affects some unknown processing of the file /sub-category.php of the component Parameter Handler. This manipulation of the argument pid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title PHPGurukul Online Shopping Portal Project Parameter sub-category.php sql injection
First Time appeared Phpgurukul
Phpgurukul online Shopping Portal Project
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:phpgurukul:online_shopping_portal_project:*:*:*:*:*:*:*:*
Vendors & Products Phpgurukul
Phpgurukul online Shopping Portal Project
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul Online Shopping Portal Project
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:50:59.487Z

Reserved: 2026-04-04T13:35:31.835Z

Link: CVE-2026-5552

cve-icon Vulnrichment

Updated: 2026-04-06T14:33:59.935Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T09:16:18.840

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:02Z

Weaknesses