CVE-2026-36873
SQL Injection in Sourcecodester Basic Library System Admin Module
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| razormist | basic_library_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Basic Library System v1.0 by sourcecodester has an SQL injection vulnerability in the file /librarysystem/load_admin.php.
This vulnerability occurs because the admin_id parameter in the URL query string is used directly in a database query without proper sanitization.
An attacker can inject malicious SQL code through this parameter, such as using a UNION SELECT statement to extract sensitive information like the database name.
How can this vulnerability impact me? :
This SQL injection vulnerability allows an attacker to execute arbitrary SQL commands on the database.
- It can lead to leakage of sensitive data stored in the database.
- It may enable further compromise of the system by manipulating or deleting data.
- Attackers could potentially gain unauthorized access to administrative functions or other restricted data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint and observing the response for SQL errors or unexpected data leakage.
Specifically, you can test the `/librarysystem/load_admin.php` endpoint by injecting SQL payloads into the `admin_id` parameter.
An example command using curl to test this vulnerability is:
- curl "http://<target>/librarysystem/load_admin.php?admin_id=-1' union select 1,database(),3,4,5,6--+"
If the response contains the database name or SQL error messages, it indicates the presence of the SQL Injection vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Sourcecodester Basic Library System v1.0 allows attackers to execute arbitrary SQL commands and potentially leak sensitive database information.
Such unauthorized access and data leakage can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by exposing sensitive data to attackers.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in /librarysystem/load_admin.php, immediately implement proper input validation and sanitization on the admin_id parameter to prevent malicious SQL code execution.
Use prepared statements or parameterized queries instead of directly embedding user input into SQL queries.
Restrict database permissions to limit the impact of a potential injection.
Monitor and review logs for suspicious activity targeting the admin_id parameter.
If possible, temporarily disable or restrict access to the vulnerable endpoint until a proper patch or fix is applied.