Description
A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw that targets the customer_name and category parameters in the file /Invoicing/IGST_Invoice.php. Attackers can embed arbitrary SQL statements in these inputs, allowing them to read, modify, or delete data stored in the database. The flaw is identified as CWE‑89. The CVSS score of 5.3 indicates a moderate severity, meaning the impact is significant enough to potentially compromise data integrity and confidentiality when it is successfully exploited.

Affected Systems

The affected product is SourceCodester Indian Invoicing System version 1.0. The vulnerability resides in its Invoice Generation Handler component, specifically within IGST_Invoice.php. No other versions or components are currently reported to be impacted.

Risk and Exploitability

The attack can be launched remotely and an exploit has been published publicly, indicating that threat actors may attempt to exploit it today. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation and the existence of a public exploit suggest a non‑negligible likelihood of real‑world attacks. No known patch is available in the provided data, so the primary risk depends on the organization’s current exposure and defensive posture.

Generated by OpenCVE AI on May 25, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a newer release of SourceCodester Indian Invoicing System when one becomes available
  • Restrict network exposure by firewalling or IP whitelisting the Invoicing module so that only trusted hosts can reach the vulnerable endpoint
  • Implement input sanitization or, preferably, use parameterized queries for the customer_name and category fields to eliminate SQL injection vectors

Generated by OpenCVE AI on May 25, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Title SourceCodester Indian Invoicing System Invoice Generation IGST_Invoice.php sql injection
First Time appeared Sourcecodester
Sourcecodester indian Invoicing System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:indian_invoicing_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester indian Invoicing System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Indian Invoicing System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T00:45:11.931Z

Reserved: 2026-05-24T06:35:46.903Z

Link: CVE-2026-9411

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T02:30:14Z

Weaknesses