CVE-2026-36922
SQL Injection in Sourcecodester Cab Management System Categories Module
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | cab_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is an SQL injection found in Sourcecodester Cab Management System v1.0, specifically in the file /cms/admin/categories/view_category.php.
It occurs at the 'id' parameter in the URL query string, where an attacker can inject malicious SQL code.
By exploiting this, an attacker can execute arbitrary SQL queries on the backend MySQL database, potentially extracting sensitive information or compromising the database.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow attackers to access unauthorized data from the database.
They may extract sensitive information, manipulate or delete data, or escalate their attack to further compromise the system.
Such impacts can lead to data breaches, loss of data integrity, and potential disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the `id` parameter in the URL `/cms/admin/categories/view_category.php` for SQL injection payloads.
A common detection method is to send a specially crafted HTTP request with a payload that attempts to manipulate the SQL query, such as using a UNION-based injection.
For example, you can use curl or similar tools to send a request like:
- curl "http://<target>/cms/admin/categories/view_category.php?id=0' union select 1,database(),3,4,5,6,7--+" -H "Cookie: PHPSESSID=<session_id>"
If the response contains the database name or other unexpected data, it indicates the presence of the SQL injection vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Sourcecodester Cab Management System v1.0 allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized disclosure of sensitive data stored in the database.
Such unauthorized data disclosure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against breaches.
Failure to protect data adequately due to this vulnerability could result in violations of these standards, leading to legal and financial consequences for organizations using the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the file /cms/admin/categories/view_category.php, immediate steps include:
- Sanitize and validate the 'id' parameter in the URL query string to prevent injection of malicious SQL code.
- Use prepared statements or parameterized queries instead of directly including user input in SQL queries.
- Restrict database permissions to limit the impact of a potential SQL injection attack.
- Monitor and log database queries to detect suspicious activity.
- Apply any available patches or updates from the vendor or source code repository.