Description
A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote SQL injection flaw exists in the search.php file of SourceCodester Simple POS and Inventory System version 1.0. Attackers can manipulate the Name argument, causing the application to include unsanitized user input directly in a database query. This vulnerability allows attackers to read, modify, or delete data within the POS and inventory databases, which could compromise the confidentiality, integrity, and availability of the system. The flaw is classified as CWE‑74 and CWE‑89.

Affected Systems

The affected product is SourceCodester Simple POS and Inventory System 1.0. Users of this version should verify whether their installation contains the unpatched search.php that accepts a Name parameter via HTTP requests.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. An attacker can exploit the flaw remotely over the network, and an exploit has already been published. The impact hinges on database access privileges; if the database user has elevated rights, a successful injection could lead to full system takeover. Because the application accepts the input over HTTP, any user with network access to the web server can craft a malicious request.

Generated by OpenCVE AI on May 25, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a version of the product that has hardened the search.php input handling.
  • Restrict the database account that the application uses to the minimum permissions required for normal operation, removing unnecessary DDL or DML rights.
  • Replace the current query construction with parameterized SQL statements or otherwise sanitize the Name field to prevent injection of arbitrary SQL commands.
  • Deploy a web application firewall or configure the web server to block common SQL injection payload patterns.

Generated by OpenCVE AI on May 25, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Title SourceCodester Simple POS and Inventory System search.php sql injection
First Time appeared Sourcecodester
Sourcecodester simple Pos And Inventory System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:simple_pos_and_inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester simple Pos And Inventory System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Simple Pos And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T09:45:09.328Z

Reserved: 2026-05-24T07:45:01.540Z

Link: CVE-2026-9447

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T12:30:25Z

Weaknesses