Description
A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness exists in SourceCodester SUP Online Shopping 1.0 whereby the msgid argument supplied to /admin/replymsg.php is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This flaw can be exploited to read, modify, or delete data from the underlying database, leading to confidentiality, integrity, and possibly availability violations for the application. The vulnerability is classified under CWE-74 and CWE-89, indicating failure to escape or validate input used in shell commands and SQL statements.

Affected Systems

SourceCodester SUP Online Shopping version 1.0.

Risk and Exploitability

The CVSS score of 6.9 places this issue in the medium severity band. Although the EPSS score is not available, the fact that the flaw is exploitable from a remote location, combined with the publicly released exploit code and the lack of a CISA KEV listing, suggests a moderate to high risk of exploitation for attackers who have network access to the vulnerable machine. An attacker could inject SQL commands to gain unauthorized database access, potentially leading to data breaches or corruption.

Generated by OpenCVE AI on May 8, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch for SourceCodester SUP Online Shopping once it is released, ensuring the fix for the SQL injection in /admin/replymsg.php is included.
  • Limit access to the /admin/replymsg.php endpoint so that only authenticated administrators can reach it, and configure firewall rules or web‑application firewall to block unauthenticated traffic to the admin area.
  • Modify the application to validate and sanitize the msgid parameter and use parameterized SQL queries, so that user input cannot be interpreted as executable SQL.

Generated by OpenCVE AI on May 8, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title SourceCodester SUP Online Shopping replymsg.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T03:00:18.891Z

Reserved: 2026-05-07T17:26:01.355Z

Link: CVE-2026-8131

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:24.913

Modified: 2026-05-08T04:16:24.913

Link: CVE-2026-8131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses