CVE-2026-3792
Received Received - Intake
SQL Injection in SourceCodester Sales Inventory purchase_invoice.php

Publication date: 2026-03-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file purchase_invoice.php of the component GET Parameter Handler. The manipulation of the argument purchaseid results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3792
EUVD
EUVD-2026-10282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ahsanriaz26gmailcom sales_and_inventory_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3792 is a SQL injection vulnerability found in SourceCodester Sales and Inventory System version 1.0, specifically in the file purchase_invoice.php. The vulnerability arises from improper sanitization of the GET parameter "purchaseid", allowing an attacker to inject malicious SQL commands.'}, {'type': 'paragraph', 'content': 'This flaw enables attackers to manipulate SQL queries executed by the application, potentially compromising the confidentiality, integrity, and availability of the system. The vulnerability can be exploited remotely and requires authentication.'}, {'type': 'paragraph', 'content': 'The injection supports multiple techniques including UNION-based queries, Boolean-based blind injection, and time-based blind injection, allowing attackers to retrieve sensitive database information and enumerate database schema.'}] [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in the backend database, including potentially confidential business or customer information.

Attackers can retrieve, modify, or delete data by injecting arbitrary SQL commands, which compromises data integrity and availability.

The vulnerability can also be used to enumerate database structure, increasing the risk of further attacks.

Since the exploit is publicly available and can be performed remotely, the risk of attack is significant, especially if the system is exposed to the internet.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the purchase_invoice.php endpoint with crafted SQL injection payloads targeting the purchaseid GET parameter.'}, {'type': 'paragraph', 'content': 'One effective method is to use sqlmap, an automated SQL injection tool, to scan and confirm the vulnerability.'}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://127.0.0.1:8089/purchase_invoice.php?purchaseid=PR3" --batch -v 6 --risk=3 --cookie "PHPSESSID=YOUR_COOKIE_HERE"'}, {'type': 'paragraph', 'content': 'Additionally, attackers or testers can use manual payloads such as UNION-based, boolean-based blind, or time-based blind SQL injection strings in the purchaseid parameter to verify the vulnerability.'}, {'type': 'list_item', 'content': "UNION-based payload example: purchaseid=PR3' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162787171,0x68595375656a48764e49416542676f73764647584277616849704858684e4e76494e4a71726f6357,0x71786b6a71),NULL,...-- -"}, {'type': 'list_item', 'content': "Boolean-based blind payload example: purchaseid=PR3' AND 8776=8776 AND 'AuSo'='AuSo"}, {'type': 'list_item', 'content': "Time-based blind payload example: purchaseid=PR3' AND (SELECT 9448 FROM (SELECT(SLEEP(5)))wjTm) AND 'yFph'='yFph"}, {'type': 'paragraph', 'content': 'Google dorking can also help identify vulnerable targets by searching for URLs containing purchase_invoice.php, e.g., using the query: inurl:purchase_invoice.php'}] [1, 2]

Mitigation Strategies

No known countermeasures or mitigations have been documented for this vulnerability.

It is suggested to replace the affected component or product with an alternative that does not contain this vulnerability.

As an immediate step, restrict access to the vulnerable purchase_invoice.php endpoint and monitor for suspicious activity.

Implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the purchaseid parameter may help reduce risk temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart