Description
A weakness has been identified in PHPGurukul Online Shopping Portal Project 2.1. This affects an unknown part of the file /cancelorder.php of the component Parameter Handler. This manipulation of the argument oid causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in PHPGurukul Online Shopping Portal Project 2.1 permits attackers to inject arbitrary SQL into the database by manipulating the 'oid' parameter in cancelorder.php, potentially enabling unauthorized data reading, updating, or deletion and compromising both confidentiality and integrity of the application.

Affected Systems

This vulnerability affects the PHPGurukul Online Shopping Portal Project, particularly version 2.1. The issue resides in the component responsible for handling request parameters within cancelorder.php.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the lack of an EPSS score and absence from the KEV catalog suggest that exploit tooling may still be limited but publicly available exploits exist. Because the attack vector appears to be remote via normal user input, the risk remains significant for any deployment that has not been patched or mitigated.

Generated by OpenCVE AI on April 6, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of PHPGurukul Online Shopping Portal Project that addresses the SQL injection issue, if available.
  • If no update exists yet, modify cancelorder.php to use parameterized SQL queries or escape the 'oid' input before appending it to the query string.
  • Deploy a web application firewall rule or input validation to filter suspicious values for the 'oid' parameter.

Generated by OpenCVE AI on April 6, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in PHPGurukul Online Shopping Portal Project 2.1. This affects an unknown part of the file /cancelorder.php of the component Parameter Handler. This manipulation of the argument oid causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title PHPGurukul Online Shopping Portal Project Parameter cancelorder.php sql injection
First Time appeared Phpgurukul
Phpgurukul online Shopping Portal Project
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:phpgurukul:online_shopping_portal_project:*:*:*:*:*:*:*:*
Vendors & Products Phpgurukul
Phpgurukul online Shopping Portal Project
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul Online Shopping Portal Project
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:49:30.699Z

Reserved: 2026-04-05T19:18:10.713Z

Link: CVE-2026-5636

cve-icon Vulnrichment

Updated: 2026-04-06T14:33:49.505Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T08:16:40.140

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:33:08Z

Weaknesses