CVE-2026-4574
SQL Injection in SourceCodester E-learning User Profile Update
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | simple_e-learning_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4574 is a SQL Injection vulnerability found in SourceCodester Simple E-learning System version 1.0, specifically in the User Profile Update component.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the application does not properly sanitize the input for the POST parameter named 'firstName'. This allows an authenticated attacker to inject malicious SQL commands."}, {'type': 'paragraph', 'content': "Attackers can exploit this flaw using various SQL injection techniques such as time-based blind, boolean-based blind, and error-based SQL injection by sending crafted payloads in the 'firstName' parameter."}, {'type': 'paragraph', 'content': 'The vulnerability enables attackers to execute arbitrary SQL commands on the backend MySQL database, potentially compromising the system.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to the database.
- Attackers can dump all database tables, columns, and sensitive data such as user credentials.
- It may allow attackers to bypass authentication mechanisms by modifying data.
- Attackers can alter or delete existing database records, compromising data integrity.
Although the attacker must be authenticated to exploit this vulnerability, the ability to execute arbitrary SQL commands poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the User Profile Update functionality, specifically the POST parameter named `firstName`, for SQL injection flaws.'}, {'type': 'paragraph', 'content': 'One effective method is to use sqlmap, an automated SQL injection tool, to test the endpoint with crafted payloads.'}, {'type': 'paragraph', 'content': 'An example sqlmap command to detect this vulnerability is:'}, {'type': 'list_item', 'content': 'sqlmap -u "http://127.0.0.1:8081/james_foreman" --data "firstName=John&lastName=Doe&phoneNumber=0&bio=&profile-updateBtn=Update" --batch -v 6 --risk=3 --cookie "PHPSESSID=YOUR_COOKIE_HERE"'}, {'type': 'paragraph', 'content': 'This command sends a POST request with the `firstName` parameter and attempts to identify SQL injection vulnerabilities by injecting various payloads.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know