CVE-2026-2060
SQL Injection in Simple Blood Donor Management System Allows Remote Exploit
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | simple_blood_donor_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2060 is a critical SQL injection vulnerability found in version 1.0 of the Simple Blood Donor Management System, specifically in the file /simpleblooddonor/editcampaignform.php.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'id' parameter is not properly validated or sanitized before being used in SQL queries, allowing attackers to inject malicious SQL code."}, {'type': 'paragraph', 'content': 'This flaw enables remote attackers to execute arbitrary SQL commands without authentication, potentially compromising the database.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows attackers to gain unauthorized access to the underlying database.
- Attackers can modify or delete data, leading to data tampering.
- Sensitive information stored in the database can be leaked.
- Attackers may achieve full system control or disrupt services.
The attack can be performed remotely without any authentication, increasing the risk and ease of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by testing the 'id' parameter in the URL /simpleblooddonor/editcampaignform.php for SQL injection flaws."}, {'type': 'paragraph', 'content': "Common detection methods include using SQL injection payloads such as boolean-based, error-based, time-based, and UNION-based injections to observe the system's response."}, {'type': 'paragraph', 'content': "Example payloads to test the 'id' parameter include:"}, {'type': 'list_item', 'content': "Boolean-based blind SQL injection: id=1' AND 6988=6988 AND 'lVwW'='lVwW"}, {'type': 'list_item', 'content': "Error-based SQL injection: id=1' OR (SELECT 5155 FROM(SELECT COUNT(*),CONCAT(0x7162716271,(SELECT (ELT(5155=5155,1))),0x71766a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ckDf'='ckDf"}, {'type': 'list_item', 'content': "Time-based blind SQL injection: id=1' AND (SELECT 6684 FROM (SELECT(SLEEP(5)))lHIZ) AND 'fynO'='fynO"}, {'type': 'list_item', 'content': "UNION-based SQL injection: id=1' UNION ALL SELECT NULL,CONCAT(0x7162716271,0x51515576744365625a564f6e4e47514a76784e626b5a445155434e42774a7a427642454775747346,0x71766a7171),NULL,NULL,NULL,NULL-- -"}, {'type': 'paragraph', 'content': "Tools like sqlmap can be used to automate detection and exploitation of this vulnerability by targeting the 'id' parameter."}, {'type': 'paragraph', 'content': 'Additionally, Google dorking with queries such as inurl:simpleblooddonor/editcampaignform.php can help identify potentially vulnerable instances exposed on the internet.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing prepared statements with parameter binding to ensure user input is properly separated from SQL commands.'}, {'type': 'paragraph', 'content': 'Strict input validation and filtering should be enforced to ensure that inputs conform to expected formats and do not contain malicious SQL code.'}, {'type': 'paragraph', 'content': "Minimize database user permissions by avoiding the use of high-privilege accounts such as root or admin for the application's database connections."}, {'type': 'paragraph', 'content': 'Conduct regular security audits and code reviews to detect and fix vulnerabilities promptly.'}, {'type': 'paragraph', 'content': 'If possible, replace the affected component or upgrade to a version without this vulnerability, as no official patch is currently available.'}] [2, 3]