CVE-2026-26892
SQL Injection in Sourcecodester Logistic Hub Parcel Management
Publication date: 2026-03-03
Last updated on: 2026-03-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | simple_logistic_hub_parcel's_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability is an SQL Injection found in the Simple Logistic Hub Parcel's Management System v1.0 by Sourcecodester. It exists in the file /manage_carrier.php, specifically in the 'id' parameter of the URL. An attacker can inject malicious SQL code through this parameter to manipulate the database queries."}, {'type': 'paragraph', 'content': 'For example, an attacker can use a UNION-based SQL injection payload to extract sensitive information from the database, such as the SQLite version. This means the attacker can potentially read or modify data in the database by exploiting this flaw.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This SQL Injection vulnerability can allow an attacker to access, modify, or delete data stored in the application's database without authorization. This could lead to data breaches, loss of data integrity, unauthorized data disclosure, or even full compromise of the backend database."}, {'type': 'paragraph', 'content': 'Such impacts may include exposure of sensitive information, disruption of service, or unauthorized control over application data, which can severely affect the operation and trustworthiness of the system.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the `id` parameter in the URL `/lhpms/manage_carrier.php?id=` for SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A common detection method is to send a specially crafted HTTP request with an SQL injection payload to see if the system responds with database information or errors indicating injection.'}, {'type': 'list_item', 'content': 'Use a curl command to test the injection point, for example: curl "http://<target>/lhpms/manage_carrier.php?id=1\' union select 1, 2, sqlite_version(), 4, 5, 6 -- +"'}, {'type': 'list_item', 'content': 'Observe the response for database version information or SQL errors that confirm the injection.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know