CVE-2026-37589
SQL Injection in Storage Unit Rental Management System v
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | storage_unit_rental_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Storage Unit Rental Management System v1.0 by Sourcecodester has a SQL injection vulnerability in the file /storage/admin/maintenance/manage_storage_unit.php.
This vulnerability occurs because the id parameter in the URL is not properly sanitized or parameterized, allowing an attacker to inject arbitrary SQL commands.
An attacker can manipulate the id parameter to execute SQL queries, such as using a UNION SELECT statement to retrieve sensitive information like the database name.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to execute arbitrary SQL queries on the backend database.
As a result, unauthorized data leakage can occur, exposing sensitive information stored in the database.
The attacker could potentially access, modify, or delete data related to storage units or other sensitive system information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the `id` parameter in the URL `/storage/admin/maintenance/manage_storage_unit.php?id=` for SQL injection payloads.
A common detection method is to use a UNION-based SQL injection payload to check if the system returns database information.
- Send a GET request with the payload: `/storage/admin/maintenance/manage_storage_unit.php?id=0' union select 1,database(),3,4,5--+`
- If the response contains the database name (e.g., `storage_db`), it confirms the presence of the SQL injection vulnerability.
You can use tools like curl or a web proxy to send this request and observe the response.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Storage Unit Rental Management System v1.0 allows unauthorized data leakage by manipulating the `id` parameter in a URL. This unauthorized access to data could potentially lead to exposure of sensitive or personal information stored in the system.
Such unauthorized data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
However, the provided information does not specify the exact nature of the data affected or whether personal data is involved, so the precise compliance impact cannot be fully determined from the available details.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the Storage Unit Rental Management System v1.0, you should immediately avoid using the vulnerable parameter without proper validation.
- Restrict or disable access to the vulnerable URL `/storage/admin/maintenance/manage_storage_unit.php?id=` until a fix is applied.
- Implement input validation and parameterized queries or prepared statements to sanitize the `id` parameter and prevent SQL injection.
- Change or secure the default login credentials (`admin/admin123`) to prevent unauthorized access.
- Monitor and audit database and application logs for suspicious activity related to SQL injection attempts.