CVE-2026-2088
SQL Injection in PHPGurukul Beauty Parlour Admin Module
Publication date: 2026-02-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | beauty_parlour_management_system | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2088 is a critical SQL injection vulnerability found in the PHPGurukul Beauty Parlour Management System version 1.1, specifically in the file /admin/accepted-appointment.php.'}, {'type': 'paragraph', 'content': "The vulnerability arises due to improper handling and insufficient validation of the user-supplied 'delid' parameter, which is directly incorporated into SQL queries without adequate sanitization or neutralization of special characters."}, {'type': 'paragraph', 'content': 'This allows attackers to inject malicious SQL code remotely without authentication, enabling them to manipulate SQL commands, execute unauthorized database operations, and potentially compromise the confidentiality, integrity, and availability of the system.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to gain unauthorized access to the database, read sensitive data, modify or delete records, and potentially take full control of the system.
This compromises data integrity and system security, leading to severe impacts on business continuity and confidentiality.
- Unauthorized data disclosure
- Data modification or deletion
- Potential full system compromise
- Remote exploitation without authentication
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the "delid" parameter in the /admin/accepted-appointment.php file for SQL injection flaws.'}, {'type': 'paragraph', 'content': "A proof-of-concept payload for time-based blind SQL injection is: delid=10' RLIKE (SELECT 6236 FROM (SELECT(SLEEP(5)))yZvQ)-- YKCi, which causes a delay in the database response if the injection is successful."}, {'type': 'paragraph', 'content': 'Testing can be performed using tools like sqlmap targeting the vulnerable parameter to confirm the presence of SQL injection.'}, {'type': 'list_item', 'content': 'Use sqlmap with a crafted request targeting the delid parameter in /admin/accepted-appointment.php.'}, {'type': 'list_item', 'content': 'Manually test by injecting time-delay payloads such as the provided PoC to observe response delays.'}, {'type': 'list_item', 'content': 'Use Google dorking with the query: inurl:admin/accepted-appointment.php to identify potentially vulnerable targets.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate remediation steps include implementing prepared statements with parameter binding to prevent SQL injection by separating SQL code from user input.
Enforce strict input validation and filtering on the delid parameter to ensure inputs conform to expected formats and block malicious data.
Minimize database user privileges by avoiding the use of high-privilege accounts such as root or admin for routine database operations to limit potential damage.
If possible, replace the affected component or product with an alternative that is not vulnerable.