CVE-2026-2060
Unknown Unknown - Not Provided
SQL Injection in Simple Blood Donor Management System Allows Remote Exploit

Publication date: 2026-02-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2060
EUVD
EUVD-2026-5644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian simple_blood_donor_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2060 is a critical SQL injection vulnerability found in version 1.0 of the Simple Blood Donor Management System, specifically in the file /simpleblooddonor/editcampaignform.php.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'id' parameter is not properly validated or sanitized before being used in SQL queries, allowing attackers to inject malicious SQL code."}, {'type': 'paragraph', 'content': 'This flaw enables remote attackers to execute arbitrary SQL commands without authentication, potentially compromising the database.'}] [1, 2, 3]

Impact Analysis

Exploiting this vulnerability allows attackers to gain unauthorized access to the underlying database.

  • Attackers can modify or delete data, leading to data tampering.
  • Sensitive information stored in the database can be leaked.
  • Attackers may achieve full system control or disrupt services.

The attack can be performed remotely without any authentication, increasing the risk and ease of exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by testing the 'id' parameter in the URL /simpleblooddonor/editcampaignform.php for SQL injection flaws."}, {'type': 'paragraph', 'content': "Common detection methods include using SQL injection payloads such as boolean-based, error-based, time-based, and UNION-based injections to observe the system's response."}, {'type': 'paragraph', 'content': "Example payloads to test the 'id' parameter include:"}, {'type': 'list_item', 'content': "Boolean-based blind SQL injection: id=1' AND 6988=6988 AND 'lVwW'='lVwW"}, {'type': 'list_item', 'content': "Error-based SQL injection: id=1' OR (SELECT 5155 FROM(SELECT COUNT(*),CONCAT(0x7162716271,(SELECT (ELT(5155=5155,1))),0x71766a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ckDf'='ckDf"}, {'type': 'list_item', 'content': "Time-based blind SQL injection: id=1' AND (SELECT 6684 FROM (SELECT(SLEEP(5)))lHIZ) AND 'fynO'='fynO"}, {'type': 'list_item', 'content': "UNION-based SQL injection: id=1' UNION ALL SELECT NULL,CONCAT(0x7162716271,0x51515576744365625a564f6e4e47514a76784e626b5a445155434e42774a7a427642454775747346,0x71766a7171),NULL,NULL,NULL,NULL-- -"}, {'type': 'paragraph', 'content': "Tools like sqlmap can be used to automate detection and exploitation of this vulnerability by targeting the 'id' parameter."}, {'type': 'paragraph', 'content': 'Additionally, Google dorking with queries such as inurl:simpleblooddonor/editcampaignform.php can help identify potentially vulnerable instances exposed on the internet.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing prepared statements with parameter binding to ensure user input is properly separated from SQL commands.'}, {'type': 'paragraph', 'content': 'Strict input validation and filtering should be enforced to ensure that inputs conform to expected formats and do not contain malicious SQL code.'}, {'type': 'paragraph', 'content': "Minimize database user permissions by avoiding the use of high-privilege accounts such as root or admin for the application's database connections."}, {'type': 'paragraph', 'content': 'Conduct regular security audits and code reviews to detect and fix vulnerabilities promptly.'}, {'type': 'paragraph', 'content': 'If possible, replace the affected component or upgrade to a version without this vulnerability, as no official patch is currently available.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart