Description
A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an SQL injection vulnerability in the wishlist.php file of SourceCodester SUP Online Shopping. An attacker can exploit a lack of input validation when manipulating the delwlistid parameter, allowing the injection of arbitrary SQL commands into a query that is then executed against the database. Because the vulnerable code is reachable via an HTTP request from any remote user, an attacker could read, modify, or delete application data, potentially exposing customer information or corrupting the product catalog. The weakness is identified as CWE‑89 and the CVSS score of 6.9 rates the issue as medium severity.

Affected Systems

The vulnerability affects the SUP Online Shopping open‑source application released by SourceCodester, specifically version 1.0. Any deployment that has the wishlist.php page and accepts the delwlistid argument is susceptible. This includes both community‑hosted copies and self‑managed instances that have not applied updates.

Risk and Exploitability

The EPSS score is not available, so the current probability of exploitation remains unknown, but the vulnerability is publicly disclosed and remote‑exploitable. The lack of a CISA KEV listing does not reduce risk, because an attacker can instruct a web client to send a crafted request to the vulnerable endpoint. The CVSS score reflects the potential impact on confidentiality and integrity without requiring elevated privileges. Organizations should view this as a legitimate threat that could be leveraged to compromise data or alter application state.

Generated by OpenCVE AI on May 8, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a supported version of SUP Online Shopping.
  • Implement input validation and use parameterized queries for the delwlistid parameter in wishlist.php.
  • Restrict unauthenticated access to wishlist.php or enforce proper authentication and authorization checks.

Generated by OpenCVE AI on May 8, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title SourceCodester SUP Online Shopping wishlist.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T13:00:19.618Z

Reserved: 2026-05-07T17:25:55.867Z

Link: CVE-2026-8129

cve-icon Vulnrichment

Updated: 2026-05-08T13:00:16.179Z

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:24.420

Modified: 2026-05-08T04:16:24.420

Link: CVE-2026-8129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses