Description
A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unknown function within the admin interface viewmsg.php may allow an attacker, by manipulating the msgid request parameter, to inject arbitrary SQL statements. This flaw falls under CWE-89 and could be used to read, modify or delete data in the underlying database, compromising confidentiality and integrity. Although no direct evidence of code execution is provided, exploitation of the database could potentially lead to further compromise if malicious statements alter application logic.

Affected Systems

SourceCodester SUP Online Shopping version 1.0 is affected. The vulnerability resides in the /admin/viewmsg.php file and no other versions or components are mentioned.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and EPSS information is not available, so the likelihood of exploitation is uncertain. The flaw is publicly disclosed and can be triggered remotely by crafting a malicious msgid parameter, meaning any machine that can reach the application could potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, but public exploit code suggests it could be used in the wild.

Generated by OpenCVE AI on May 8, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SourceCodester SUP Online Shopping to the latest patch that fixes SQL injection in viewmsg.php
  • Restrict access to /admin/viewmsg.php to authorized users only, limiting exposure
  • Validate and sanitize the msgid parameter and use parameterized queries to prevent injection

Generated by OpenCVE AI on May 8, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Title SourceCodester SUP Online Shopping viewmsg.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T02:15:09.625Z

Reserved: 2026-05-07T17:25:53.570Z

Link: CVE-2026-8128

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T03:16:25.553

Modified: 2026-05-08T03:16:25.553

Link: CVE-2026-8128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T03:30:44Z

Weaknesses