Description
A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw in the /admin/message.php file of SourceCodester SUP Online Shopping 1.0. By manipulating the argument seenid, an attacker can inject arbitrary SQL code into a backend query. The flaw allows the attacker to read or modify database contents, potentially exposing sensitive order, user, or payment information, and could be abused to alter or delete data. The weakness is identified as CWE-74 and CWE-89, reflecting improper handling of query components and unsanitized input.

Affected Systems

The affected product is SourceCodester SUP Online Shopping running version 1.0. The flaw resides in an unknown function of the admin message page, and it has not been narrowed to any specific subcomponent beyond the presence of the seenid parameter in that script.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity vulnerability. The EPSS score is not available, and the flaw is not currently listed in CISA KEV, but public exploit scripts have been published, implying that an attacker can feasibly exploit the flaw remotely. The likely attack vector is a web request that directly supplies a crafted seenid value. Given the public availability of the exploit and the ability to execute arbitrary SQL commands, the risk to affected systems is significant for confidentiality and integrity.

Generated by OpenCVE AI on May 8, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or upgrade that addresses the SQL injection in /admin/message.php.
  • Implement input validation or filtering on the seenid parameter to eliminate non‑numeric or unexpected characters.
  • Rewrite database queries for this endpoint to use prepared statements or parameterized queries, ensuring injected input cannot alter query structure.
  • Monitor application logs for abnormal query execution patterns and review database integrity after mitigation.

Generated by OpenCVE AI on May 8, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title SourceCodester SUP Online Shopping message.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T11:29:09.929Z

Reserved: 2026-05-07T17:25:58.669Z

Link: CVE-2026-8130

cve-icon Vulnrichment

Updated: 2026-05-08T11:29:04.893Z

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:24.687

Modified: 2026-05-08T04:16:24.687

Link: CVE-2026-8130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses