CVE-2026-6148

Received Received - Intake

Remote SQL Injection in Vehicle Showroom Management System

Publication date: 2026-04-13

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCH_ID results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-13

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-13

EPSS Evaluated

2026-06-14

NVD

CVE-2026-6148

EUVD

EUVD-2026-21774

Affected Vendors & Products

Vendor	Product	Version / Range
code-projects	vehicle_showroom_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL injection flaw found in the Vehicle Showroom Management System version 1.0, specifically in the file /util/MonthTotalReportUpdateFunction.php. It occurs because the BRANCH_ID parameter is not properly validated or sanitized before being used in SQL queries. Attackers can manipulate this parameter remotely to inject malicious SQL code, which allows unauthorized access and manipulation of the database.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized database access, data leakage, and data tampering. Attackers may gain full control over the system, disrupt services, and compromise business continuity. The attack does not require any user authentication or authorization, making it easier for attackers to exploit remotely.

Detection Guidance

This SQL injection vulnerability can be detected by testing the BRANCH_ID parameter in the /util/MonthTotalReportUpdateFunction.php file for injection points.

Proof-of-concept tests used boolean-based blind SQL injection and time-based blind SQL injection techniques.

Example payloads to test the vulnerability include:

BRANCH_ID=111' RLIKE (SELECT (CASE WHEN (4347=4347) THEN 111 ELSE 0x28 END))
BRANCH_ID=111' AND (SELECT 2069 FROM (SELECT(SLEEP(5)))zkCs)

These payloads can be used with tools like sqlmap to confirm the presence of the SQL injection vulnerability.

Mitigation Strategies

To mitigate this SQL injection vulnerability, the following immediate steps are recommended:

Use prepared statements with parameter binding to separate SQL code from user input, preventing injection.
Implement strict input validation and filtering to ensure inputs conform to expected formats.
Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts like 'root' or 'admin' for routine operations.
Conduct regular security audits of code and systems to detect and address vulnerabilities promptly.

Compliance Impact

The SQL injection vulnerability in the Vehicle Showroom Management System allows attackers to perform unauthorized database access, data leakage, and data tampering. Such unauthorized access and potential exposure of sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Because the vulnerability enables remote exploitation without authentication, it increases the risk of data breaches, which are subject to regulatory reporting requirements and penalties under these standards.

Therefore, failure to remediate this vulnerability could result in violations of data protection obligations, impacting compliance with GDPR, HIPAA, and similar regulations.

Hi! I’m here to help you understand CVE-2026-6148. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-6148

Remote SQL Injection in Vehicle Showroom Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart