Description
A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
Published: 2026-05-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the delete function of the admin/deleteproduct.php file, where the GET parameter ID is used directly in an SQL query without proper sanitization. Manipulating this argument allows an attacker to inject arbitrary SQL code, resulting in unauthorized data disclosure or modification. The flaw is a classic parameter-based SQL injection, classified under CWE‑74 and CWE‑89.

Affected Systems

This flaw affects the commercially available SourceCodester Simple POS and Inventory System version 1.0. The description references the GET parameter handler component of the delete functionality in the admin interface. No other versions or products are listed, so the risk is confined to installations that have not applied a later patch.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the lack of an EPSS entry implies there is no current measurement of exploitation probability. Since the exploit is publicly known and can be triggered simply by sending a malicious GET request, the attack vector is remote via HTTP. The vulnerability is not listed in the CISA KEV catalog, but because it operates over the network and has a moderate rating, administrators should consider it a noteworthy risk until a patch is applied.

Generated by OpenCVE AI on May 25, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SourceCodester Simple POS and Inventory System to a version that includes the SQL injection fix
  • Implement input validation or prepared statements for the ID parameter to prevent direct inclusion in SQL queries
  • Restrict database account privileges for the web application, limiting actions to only those required for normal operation

Generated by OpenCVE AI on May 25, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 09:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
Title SourceCodester Simple POS and Inventory System GET Parameter deleteproduct.php delete sql injection
First Time appeared Sourcecodester
Sourcecodester simple Pos And Inventory System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:simple_pos_and_inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester simple Pos And Inventory System
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Simple Pos And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T09:00:11.649Z

Reserved: 2026-05-24T07:44:53.678Z

Link: CVE-2026-9444

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:32:59Z

Weaknesses