CVE-2026-2867
Received Received - Intake
SQL Injection in itsourcecode Vehicle Management System /billaction.php

Publication date: 2026-02-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in itsourcecode Vehicle Management System 1.0. Affected is an unknown function of the file /billaction.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2867
EUVD
EUVD-2026-7522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admerc vehicle_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2867 is a critical SQL injection vulnerability found in itsourcecode Vehicle Management System version 1.0, specifically in the file /billaction.php.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of the "ID" parameter and several other parameters (such as username, total_km, oil_cost, extra_cost, total_cost) which are directly concatenated into an SQL INSERT statement without any filtering, escaping, or parameterization.'}, {'type': 'paragraph', 'content': 'This lack of input sanitization allows attackers to manipulate SQL queries, enabling various types of SQL injection attacks including boolean-based blind, error-based, and time-based blind injections.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely without any authentication, making it highly accessible to attackers.'}] [1, 2, 3]

Impact Analysis

This vulnerability impacts the confidentiality, integrity, and availability of the affected system.

An attacker exploiting this vulnerability can execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or disruption of service.

Since the exploit is publicly available and requires no authentication, it poses a significant risk of compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the vulnerable parameter "id" in the /billaction.php file for SQL injection payloads. Common detection methods include sending crafted SQL injection payloads to the "id" GET parameter and observing the response for anomalies such as errors, delays, or boolean-based differences.'}, {'type': 'list_item', 'content': "Use boolean-based blind SQL injection payloads, for example: id=1' RLIKE (SELECT (CASE WHEN (3561=3561) THEN 1 ELSE 0x28 END)) AND 'elPB'='elPB"}, {'type': 'list_item', 'content': "Use error-based SQL injection payloads, for example: id=1' AND EXTRACTVALUE(5861,CONCAT(0x5c,0x7170706b71,(SELECT (ELT(5861=5861,1))),0x7176716a71)) AND 'AIsC'='AIsC"}, {'type': 'list_item', 'content': "Use time-based blind SQL injection payloads, for example: id=1' AND (SELECT 4196 FROM (SELECT(SLEEP(5)))IIwM) AND 'lXlt'='lXlt"}, {'type': 'paragraph', 'content': 'Additionally, Google Hacking techniques such as searching for inurl:billaction.php can help identify potentially vulnerable targets on your network.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include replacing the vulnerable dynamic SQL query construction with prepared statements and parameterized queries to prevent SQL injection.'}, {'type': 'list_item', 'content': 'Use prepared statements with functions like mysqli_prepare() and mysqli_stmt_bind_param() to ensure user inputs are treated as data, not executable code.'}, {'type': 'list_item', 'content': "Implement authentication and access control by validating session variables (e.g., $_SESSION['admin_id']) at the start of billaction.php to prevent unauthorized access."}, {'type': 'paragraph', 'content': 'Since no official patches or mitigations are available at the time of disclosure, it is recommended to replace the affected component or product to avoid exploitation.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart