CVE-2026-3756

Received Received - Intake

SQL Injection in SourceCodester Sales Inventory /check_item_details.php

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was identified in SourceCodester Sales and Inventory System up to 1.0. Affected is an unknown function of the file /check_item_details.php. The manipulation of the argument stock_name1 leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-08

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-03-08

EPSS Evaluated

2026-06-14

NVD

CVE-2026-3756

EUVD

EUVD-2026-10259

Affected Vendors & Products

Vendor	Product	Version / Range
ahsanriaz26gmailcom	sales_and_inventory_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3756 is a SQL Injection vulnerability found in SourceCodester Sales and Inventory System version 1.0, specifically in the file check_item_details.php. The vulnerability occurs because the application does not properly sanitize the input parameter "stock_name1" received via HTTP POST requests.'}, {'type': 'paragraph', 'content': 'This improper handling allows an attacker to inject arbitrary SQL commands into the backend MySQL database. The injection can be exploited using techniques such as Boolean-based blind and Time-based blind SQL injection, enabling attackers to manipulate database queries.'}, {'type': 'paragraph', 'content': 'Exploitation requires sending crafted POST requests with malicious payloads to the vulnerable parameter, and automated tools like sqlmap can be used to confirm and exploit the flaw.'}] [1, 2, 3]

Impact Analysis

Exploiting this vulnerability allows attackers to perform unauthorized SQL queries on the backend database, leading to unauthorized data exfiltration and full database enumeration.

Attackers can retrieve sensitive information such as database tables, columns, schema details, and potentially confidential data stored in the system.

This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches and disruption of services.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the "stock_name1" POST parameter in the check_item_details.php file for SQL injection flaws.'}, {'type': 'paragraph', 'content': 'One can use automated tools like sqlmap to detect the vulnerability by sending crafted POST requests with malicious payloads.'}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://127.0.0.1:8089/check_item_details.php" --data "stock_name1=" --batch -v 6 --risk=3 --cookie "PHPSESSID=YOUR_COOKIE_HERE"'}, {'type': 'paragraph', 'content': "Manual testing can be done using Boolean-based blind SQL injection payloads such as ' OR NOT 4616=4616# or Time-based blind SQL injection payloads like ' AND (SELECT 2208 FROM (SELECT(SLEEP(5)))zsph)-- KQvW to observe response behavior."}] [1]

Mitigation Strategies

No specific mitigations or countermeasures have been documented for this vulnerability.

It is recommended to replace the affected component or product to prevent exploitation.

As an immediate step, restrict access to the vulnerable endpoint and monitor for suspicious activity involving the stock_name1 parameter.

Hi! I’m here to help you understand CVE-2026-3756. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-3756

SQL Injection in SourceCodester Sales Inventory /check_item_details.php

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart