CVE-2026-4571
SQL Injection in SourceCodester Sales Inventory /view_payments.php
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4571 is a SQL Injection vulnerability found in SourceCodester Sales and Inventory System 1.0, specifically in the /view_payments.php file's HTTP POST Request Handler. The flaw occurs due to improper sanitization of the 'searchtxt' parameter used in the payments list search functionality. Authenticated attackers can manipulate this parameter to inject arbitrary SQL commands into the backend MySQL database."}, {'type': 'paragraph', 'content': 'Exploitation techniques include Boolean-based blind and Time-based blind SQL injection, allowing attackers to enumerate database structures and extract sensitive information. The vulnerability can be reproduced by logging into the system and submitting malicious SQL payloads through the search bar or intercepting requests with tools like sqlmap.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to exfiltrate sensitive data such as payment records, customer details, and transaction history from the affected Inventory System. It also enables full enumeration of the database schema, compromising data confidentiality and integrity.
Because the attack can be carried out remotely by authenticated users, it poses a significant risk of unauthorized data access and potential manipulation, which could lead to financial loss, reputational damage, and operational disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'searchtxt' parameter in HTTP POST requests to the /view_payments.php page for SQL injection flaws. An attacker or tester can submit specially crafted SQL payloads to observe if the system is vulnerable."}, {'type': 'paragraph', 'content': "For example, Boolean-based payloads like `searchtxt=-4866' OR 6593=6593#` or Time-based payloads such as `searchtxt=test_payment' AND (SELECT 4804 FROM (SELECT(SLEEP(5)))uxmy)-- fifg` can be used to verify the presence of SQL injection."}, {'type': 'paragraph', 'content': 'Automated tools like sqlmap can be used to detect and exploit this vulnerability. A sample sqlmap command involves intercepting the POST request to /view_payments.php and running sqlmap against it to confirm the injection point and extract database information.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know