CVE-2026-5606 - Vulnerability Details

- PHPGurukul Online Shopping Portal Project Parameter order-details.php sql injection

Description

A security flaw has been discovered in PHPGurukul Online Shopping Portal Project 2.1. The affected element is an unknown function of the file /order-details.php of the component Parameter Handler. The manipulation of the argument orderid results in sql injection. It is possible to launch the attack remotely.

Published: 2026-04-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a code injection flaw (CWE‑74) combined with a classic SQL injection (CWE‑89) that occurs when the orderid parameter in order-details.php is not properly sanitized. An attacker can inject arbitrary SQL statements, enabling them to read, modify, or delete data from the database behind the application. This could compromise customer information, transaction records, and overall data integrity.

Affected Systems

The affected product is PHPGurukul: Online Shopping Portal Project version 2.1. Only that version is explicitly listed as vulnerable in the advisory, and the flaw resides in the order-details.php component of the Parameter Handler submodule.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote through an HTTP request that supplies a crafted orderid argument. An attacker with network reach to the web server could exploit the vulnerability without additional credentials, making exploitation relatively straightforward.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHPGurukul

Online Shopping Portal Project

affected

Version	Status	Constraints
`2.1`	affected	—

No data.

Vendor Product Confidence Versions

Phpgurukul

Online Shopping Portal Project

90%

Version	Status	Scheme	Platform
`2.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify that your environment is running PHPGurukul Online Shopping Portal Project v2.1
Apply any official upgrade or patch released by PHPGurukul immediately
If no patch exists, rewrite the order-details.php code to use prepared statements or parameterized queries for the orderid input
Limit the database user privileges to only those needed for application operations
Monitor web application traffic and database logs for abnormal queries or suspicious activity

Generated by OpenCVE AI on April 6, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/f1rstb100d/CVE/issues/13
https://phpgurukul.com/
https://vuldb.com/submit/784009
https://vuldb.com/vuln/355351
https://vuldb.com/vuln/355351/cti

History

Tue, 07 Apr 2026 07:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 00:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in PHPGurukul Online Shopping Portal Project 2.1. The affected element is an unknown function of the file /order-details.php of the component Parameter Handler. The manipulation of the argument orderid results in sql injection. It is possible to launch the attack remotely.
Title		PHPGurukul Online Shopping Portal Project Parameter order-details.php sql injection
First Time appeared		Phpgurukul Phpgurukul online Shopping Portal Project
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:phpgurukul:online_shopping_portal_project::::::::
Vendors & Products		Phpgurukul Phpgurukul online Shopping Portal Project
References		https://github.com/f1rstb100d/CVE/issues/13 https://phpgurukul.com/ https://vuldb.com/submit/784009 https://vuldb.com/vuln/355351 https://vuldb.com/vuln/355351/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Phpgurukul Online Shopping Portal Project

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T00:00:20.975Z

Updated: 2026-04-07T02:57:40.081Z

Reserved: 2026-04-05T14:00:55.969Z

Link: CVE-2026-5606

Vulnrichment

Updated: 2026-04-07T02:57:34.875Z

NVD

Status : Deferred

Published: 2026-04-06T00:16:19.420

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5606

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:47:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object