CVE-2026-5639
SQL Injection in PHPGurukul update-image3.php Allows Remote Exploit
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | online_shopping_portal | 2.1 |
| phpgurukul | online_shopping_portal_project | 2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5639 is a critical SQL injection vulnerability found in the PHPGurukul Online Shopping Portal Project version 2.1, specifically in the file /admin/update-image3.php. The flaw occurs because the "filename" parameter is not properly sanitized or validated before being used in SQL queries. This allows an attacker to inject malicious SQL code remotely, potentially manipulating the database.
The vulnerability was demonstrated using a time-based blind SQL injection payload targeting MySQL databases, where an attacker sends a specially crafted filename that causes the database to delay its response, confirming the injection point.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to the database, leakage of sensitive data, tampering or modification of data, and potentially full system compromise or disruption of services.
- Attackers can execute arbitrary SQL commands remotely.
- Data confidentiality and integrity can be compromised.
- System availability may be affected due to service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'filename' parameter in the /admin/update-image3.php endpoint for SQL injection flaws. A common method is to send specially crafted HTTP POST requests with SQL payloads that trigger time delays, such as using the SLEEP() function in MySQL.
For example, sending a multipart/form-data POST request with a manipulated filename parameter like: filename="4de8a7b75cc40f55f9f021d6608b0d25.jpg' RLIKE SLEEP(5) AND 'wUDr'='wUDr" can confirm the vulnerability if the server response is delayed.
Additionally, the sqlmap tool can be used to automate detection and exploitation of this SQL injection vulnerability by targeting the affected URL.
What immediate steps should I take to mitigate this vulnerability?
- Use prepared statements with parameter binding to separate SQL code from user input, preventing injection.
- Implement strict input validation and filtering to ensure inputs conform to expected formats and block malicious data.
- Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts like 'root' or 'admin' for routine operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the PHPGurukul Online Shopping Portal Project 2.1 allows attackers to gain unauthorized access to the database, leading to potential data leakage, data tampering, and full system compromise.
Such unauthorized access and data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and ensure data integrity.
Failure to remediate this vulnerability could lead to violations of these regulations, exposing organizations to legal penalties, reputational damage, and loss of customer trust.