Description
A weakness has been identified in itsourcecode Courier Management System 1.0. This affects an unknown function of the file /edit_staff.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in an unspecified function of the Courier Management System's edit_staff.php file. Manipulating the ID argument can cause arbitrary SQL commands to be executed against the database. This can let an attacker read, modify, or delete data stored by the application. The flaw is a classic input validation weakness (CWE-74) combined with an injection flaw (CWE-89).

Affected Systems

itsourcecode Courier Management System version 1.0 is affected. Any deployment that includes the edit_staff.php endpoint and accepts an ID parameter without proper validation is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity. The EPSS score is not available, and the flaw is not listed in CISA's KEV catalog, so the current exploitation probability is unknown. However, the entry explicitly states that the exploit is publicly available and the attack can be launched remotely, indicating that an attacker can trigger the flaw from outside the network without additional access.

Generated by OpenCVE AI on May 1, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Courier Management System that resolves the SQL injection in edit_staff.php.
  • Rewrite the code that processes the ID parameter to use parameterized queries or prepared statements, ensuring that any user input is properly sanitized before being incorporated into SQL statements.
  • Restrict the database account used by the application to the minimum privileges required; avoid granting generic SELECT, UPDATE, DELETE, or EXECUTE rights beyond those needed for normal operation.
  • Implement network-level controls that restrict unauthenticated or unauthorized access to the edit_staff.php endpoint until the application has been patched or protected.

Generated by OpenCVE AI on May 1, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode courier Management System
Vendors & Products Itsourcecode
Itsourcecode courier Management System

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in itsourcecode Courier Management System 1.0. This affects an unknown function of the file /edit_staff.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title itsourcecode Courier Management System edit_staff.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Courier Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T19:45:11.221Z

Reserved: 2026-05-01T09:38:28.900Z

Link: CVE-2026-7592

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-01T20:16:24.970

Modified: 2026-05-01T20:21:53.960

Link: CVE-2026-7592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses