CVE-2026-6149
SQL Injection in Vehicle Showroom Management System Remote Access
Publication date: 2026-04-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | vehicle_showroom_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw found in the Vehicle Showroom Management System version 1.0, specifically in the file /util/BookVehicleFunction.php. It occurs because the BRANCH_ID parameter is used directly in SQL queries without proper input validation or sanitization.
An attacker can manipulate the BRANCH_ID argument remotely to inject malicious SQL code, which allows unauthorized access and manipulation of the database.
- Vulnerability Type: SQL Injection
- Affected File: /util/BookVehicleFunction.php
- Attack Vector: Unsanitized BRANCH_ID parameter used in SQL statements
- No authentication is required to exploit this vulnerability
How can this vulnerability impact me? :
Exploiting this SQL injection vulnerability can have severe impacts including unauthorized access to the database, leakage of sensitive data, modification or deletion of data, and potentially taking control of the affected system.
Additionally, attackers can cause service interruptions, which may disrupt business operations.
- Unauthorized database access
- Data leakage of sensitive information
- Data modification or deletion
- Potential system takeover
- Service interruptions affecting availability
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the BRANCH_ID POST parameter in the /util/BookVehicleFunction.php file for injection flaws.
- Use automated tools like sqlmap to test the parameter for SQL injection.
- Example boolean-based blind SQL injection payload to test: BRANCH_ID=111' RLIKE (SELECT (CASE WHEN (4347=4347) THEN 111 ELSE 0x28 END)) AND 'dbax'='dbax
- Example time-based blind SQL injection payload to test: BRANCH_ID=111' AND (SELECT 2069 FROM (SELECT(SLEEP(5)))zkCs) AND 'DrYx'='DrYx
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Use prepared statements with parameter binding to separate SQL code from user input.
- Implement strict input validation and filtering to ensure inputs conform to expected formats.
- Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts like root or admin for routine operations.
- Conduct regular security audits of code and systems to detect and fix vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This SQL injection vulnerability allows attackers to gain unauthorized access to the database, potentially leading to leakage, modification, or deletion of sensitive data without authentication.
Such unauthorized data access and manipulation can result in violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data and failing to maintain required security controls.