Description
A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-05-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in an unidentified function within /admin/edit_customer.php of SourceCodester Simple POS and Inventory System 1.0. Manipulating the ID argument enables attackers to inject SQL code. Once exploited, the attacker can read, modify, or delete customer records, effectively compromising data confidentiality and integrity.

Affected Systems

SourceCodester Simple POS and Inventory System, version 1.0. The affected component is the edit_customer.php script on the admin interface of this application.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit can be carried out remotely by sending crafted HTTP requests to the ID parameter. Successful exploitation would allow attackers to retrieve or tamper with database contents via the unfiltered SQL query.

Generated by OpenCVE AI on May 25, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest version or apply the vendor‑issued fix for the edit_customer.php SQL injection
  • Restrict access to the admin interface so that only authenticated, authorized users can interact with the edit_customer.php endpoint
  • Implement input validation on the ID parameter, ensuring it accepts only numeric values, and replace dynamic queries with prepared statements or stored procedures

Generated by OpenCVE AI on May 25, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 09:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Simple POS and Inventory System edit_customer.php sql injection
First Time appeared Sourcecodester
Sourcecodester simple Pos And Inventory System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:simple_pos_and_inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester simple Pos And Inventory System
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Simple Pos And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T09:30:10.408Z

Reserved: 2026-05-24T07:44:58.665Z

Link: CVE-2026-9446

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:32:56Z

Weaknesses