CVE-2026-37592
SQL Injection in Storage Unit Rental System Pricing Module
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | storage_unit_rental_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Storage Unit Rental Management System v1.0 by Sourcecodester has an SQL injection vulnerability in the file /storage/admin/maintenance/manage_pricing.php.
This vulnerability occurs because the id parameter in the URL is not properly sanitized before being used in SQL queries.
An attacker can inject malicious SQL code through this id parameter, for example using a UNION-based SQL injection payload to retrieve sensitive information such as the current database name.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to leak unauthorized data from the backend database.
It may also enable further exploitation of the database, potentially compromising sensitive information stored within the system.
Since the system uses default login credentials (admin/admin123), the risk of unauthorized access and exploitation is increased.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `id` parameter in the URL `/storage/admin/maintenance/manage_pricing.php?id=` for SQL injection.
A common detection method is to use a UNION-based SQL injection payload to see if the database responds with unexpected data.
- Use the following payload in the URL to test for the vulnerability: `/storage/admin/maintenance/manage_pricing.php?id=0' union select 1,2,database(),4,5--+`
- If the response includes the database name or other unexpected data, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the `id` parameter input to prevent SQL injection.
Use prepared statements or parameterized queries in the code handling the `id` parameter to avoid direct injection of user input into SQL queries.
Change default credentials such as `admin/admin123` to strong, unique passwords to reduce risk.
Restrict access to the vulnerable URL `/storage/admin/maintenance/manage_pricing.php` to authorized users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Storage Unit Rental Management System v1.0 allows unauthorized data leakage and potentially further exploitation of the database. Such unauthorized access to sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Because the vulnerability enables attackers to extract database information without proper authorization, it poses a risk to the confidentiality of stored data, which is a core requirement under these standards.