CVE-2026-26886
Received Received - Intake

SQL Injection in Simple Online Men's Salon Management System

Vulnerability report for CVE-2026-26886, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: MITRE

Description

Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /admin/services/manage_service.php.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-07-06
AI Q&A
2026-03-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
oretnom23 simple_online_men's_salon_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability is an SQL injection found in the Simple Online Men's Salon Management System v1.0 by Sourcecodester. It exists in the file `/admin/services/manage_service.php`, specifically in the `id` parameter of a GET request."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by injecting malicious SQL code through the `id` parameter, such as using a UNION-based SQL injection payload to retrieve sensitive information like the database name.'}, {'type': 'paragraph', 'content': 'This allows unauthorized access to the database contents, potentially exposing sensitive data stored within the system.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can lead to unauthorized data leakage from the system's database."}, {'type': 'list_item', 'content': 'Attackers can retrieve sensitive information such as database names and potentially other confidential data.'}, {'type': 'list_item', 'content': 'It may allow attackers to manipulate or access data without proper authorization.'}, {'type': 'list_item', 'content': 'The compromise of database contents can lead to data breaches, loss of customer trust, and potential operational disruptions.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted HTTP GET requests to the vulnerable endpoint and observing the response for SQL errors or unexpected data.'}, {'type': 'list_item', 'content': "Send a GET request to `/msms/admin/services/manage_service.php` with the `id` parameter manipulated to test for SQL injection, for example: `/msms/admin/services/manage_service.php?id=-6' union select 1,database(),3,4,5,6,7--+`."}, {'type': 'list_item', 'content': 'Use tools like curl or a web proxy to send the above request and check if the response contains the database name or other unexpected data.'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious GET requests targeting the `id` parameter in `/admin/services/manage_service.php` that include SQL injection payloads.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart