Description
A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests as an SQL injection in the get_state.php handler due to unsanitized G_STATE_ID parameter. An attacker can use crafted input to alter query logic, potentially extracting, modifying, or deleting database contents. This weakness corresponds to CWE-74 and CWE-89 and could compromise the confidentiality and integrity of the blood bank database.

Affected Systems

Affected product is BloodBank Managing System version 1.0 from code‑projects, including the get_state.php script. The vulnerability exists in an unnamed function that processes the G_STATE_ID request argument. Users running the 1.0 release are exposed; no other versions have been disclosed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate threat severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. However, a publicly disclosed exploit demonstrates that remote attackers can trigger the injection simply by sending a specially crafted HTTP request containing a malicious G_STATE_ID value to the vulnerable endpoint.

Generated by OpenCVE AI on May 4, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑released patch that removes the unsanitized query handling in get_state.php. If a patch is not yet available, upgrade to a newer version of BloodBank Managing System.
  • As a temporary workaround, restrict external access to get_state.php by firewall rules or IP whitelisting until the patch is applied.
  • Modify the application code to use parameterized SQL statements and validate or sanitize the G_STATE_ID input to prevent injection attacks.
  • Deploy a web application firewall configured to block SQL injection payloads targeting the get_state.php endpoint.

Generated by OpenCVE AI on May 4, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects blood Bank Management System
Vendors & Products Code-projects
Code-projects blood Bank Management System

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title code-projects BloodBank Managing System get_state.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Blood Bank Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T04:15:10.528Z

Reserved: 2026-05-03T16:08:23.156Z

Link: CVE-2026-7731

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-04T06:16:01.640

Modified: 2026-05-04T15:18:40.077

Link: CVE-2026-7731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:15:06Z

Weaknesses