CVE-2026-3756
SQL Injection in SourceCodester Sales Inventory /check_item_details.php
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3756 is a SQL Injection vulnerability found in SourceCodester Sales and Inventory System version 1.0, specifically in the file check_item_details.php. The vulnerability occurs because the application does not properly sanitize the input parameter "stock_name1" received via HTTP POST requests.'}, {'type': 'paragraph', 'content': 'This improper handling allows an attacker to inject arbitrary SQL commands into the backend MySQL database. The injection can be exploited using techniques such as Boolean-based blind and Time-based blind SQL injection, enabling attackers to manipulate database queries.'}, {'type': 'paragraph', 'content': 'Exploitation requires sending crafted POST requests with malicious payloads to the vulnerable parameter, and automated tools like sqlmap can be used to confirm and exploit the flaw.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows attackers to perform unauthorized SQL queries on the backend database, leading to unauthorized data exfiltration and full database enumeration.
Attackers can retrieve sensitive information such as database tables, columns, schema details, and potentially confidential data stored in the system.
This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches and disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the "stock_name1" POST parameter in the check_item_details.php file for SQL injection flaws.'}, {'type': 'paragraph', 'content': 'One can use automated tools like sqlmap to detect the vulnerability by sending crafted POST requests with malicious payloads.'}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://127.0.0.1:8089/check_item_details.php" --data "stock_name1=" --batch -v 6 --risk=3 --cookie "PHPSESSID=YOUR_COOKIE_HERE"'}, {'type': 'paragraph', 'content': "Manual testing can be done using Boolean-based blind SQL injection payloads such as ' OR NOT 4616=4616# or Time-based blind SQL injection payloads like ' AND (SELECT 2208 FROM (SELECT(SLEEP(5)))zsph)-- KQvW to observe response behavior."}] [1]
What immediate steps should I take to mitigate this vulnerability?
No specific mitigations or countermeasures have been documented for this vulnerability.
It is recommended to replace the affected component or product to prevent exploitation.
As an immediate step, restrict access to the vulnerable endpoint and monitor for suspicious activity involving the stock_name1 parameter.