CVE-2026-5034
SQL Injection in code-projects Accounting System Parameter Handler
Publication date: 2026-03-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sherlock | accounting_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5034 is a critical SQL injection vulnerability found in the Accounting System Project version 1.0, specifically in the file /edit_costumer.php. The issue arises because the cos_id parameter is improperly handled and directly used in SQL queries without adequate sanitization or validation.
This flaw allows attackers to inject malicious SQL code remotely without requiring any authentication. Two main types of SQL injection techniques demonstrated are error-based SQL injection, which reveals database information through error messages, and time-based blind SQL injection, which confirms the vulnerability by causing delays in database responses.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to the database, data leakage, data modification or deletion, and potentially full system compromise or service disruption.
Attackers can perform unauthorized operations such as data theft and tampering, threatening both the security and business continuity of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `cos_id` parameter in the `/edit_costumer.php` file for SQL injection flaws. Two common techniques are error-based SQL injection and time-based blind SQL injection.
- Error-based SQL Injection test payload example: cos_id=1'||(SELECT 0x45694a47 WHERE 4514=4514 AND (SELECT 3597 FROM(SELECT COUNT(*),CONCAT(0x7170627q,(SELECT (ELT(3597=3597,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||
- Time-based Blind SQL Injection test payload example: cos_id=1'||(SELECT 0x414e4c59 WHERE 2718=2718 AND (SELECT 7846 FROM (SELECT(SLEEP(5)))rTCA))||
Additionally, automated tools like sqlmap can be used to confirm the vulnerability and enumerate the database.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement prepared statements with parameter binding to separate SQL code from user input, preventing injection.
- Enforce strict input validation and filtering to ensure inputs conform to expected formats.
- Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts like root or admin for routine operations.
- Conduct regular security audits of code and systems to detect and remediate vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Accounting System Project V1.0 allows attackers to perform unauthorized database access, data leakage, data modification, or deletion. Such unauthorized access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of sensitive personal and health information.
Specifically, the exposure or manipulation of sensitive data due to this vulnerability could violate data protection requirements, resulting in legal and financial consequences for organizations using the affected software.
Therefore, until the vulnerability is remediated by applying recommended mitigations such as prepared statements, input validation, and least privilege database access, affected systems remain at risk of non-compliance with these regulations.