Description
A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in SourceCodester Comment System 1.0, where the Name field in post_comment.php is improperly handled. An attacker can manipulate this argument to inject arbitrary SQL statements, potentially reading, modifying, or deleting data within the application's database. Since the input is incorporated directly into a query, the attack can compromise the confidentiality and integrity of stored information, including user content and possibly authentication data.

Affected Systems

Affected systems are installations of SourceCodester Comment System version 1.0. The flaw occurs in the post_comment.php script processing user comments. No other versions or components are mentioned as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS information is not available, but the public exploit demonstrates that remote injection is feasible via a web request. The vulnerability is not yet listed in CISA KEV, yet the presence of a published exploit suggests a realistic threat that attackers can leverage from the Internet. Remote exploitation typically occurs through the public interface, allowing unauthenticated users to POST data to the comment endpoint. The lack of safeguards such as parameterized queries magnifies the risk.

Generated by OpenCVE AI on May 8, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check SourceCodester’s website or repository for an updated version that patches the SQL injection flaw and deploy it immediately
  • If no patch is available, modify post_comment.php to use prepared statements or other parameterized SQL techniques for the Name input, ensuring the value cannot alter query structure
  • As a temporary workaround, restrict the comment posting functionality to authenticated users or disable it until the code fix is applied

Generated by OpenCVE AI on May 8, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title SourceCodester Comment System post_comment.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T01:45:11.083Z

Reserved: 2026-05-07T17:18:37.142Z

Link: CVE-2026-8126

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T03:16:25.143

Modified: 2026-05-08T03:16:25.143

Link: CVE-2026-8126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T03:30:44Z

Weaknesses