CVE-2026-8130
SQL Injection in SourceCodester SUP Online Shopping
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | sup_online_shopping | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8130 is a critical SQL injection vulnerability found in the SUP Online Shopping Project version 1.0, specifically in the "/admin/message.php" file. The vulnerability arises from improper input validation of the "seenid" parameter, which allows attackers to inject malicious SQL queries remotely without needing authentication.
Attackers can exploit this flaw by crafting special payloads that manipulate the database queries, potentially performing boolean-based blind, error-based, or time-based SQL injection attacks.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to unauthorized access to the database, allowing attackers to manipulate or delete data, steal sensitive information, and potentially take over the affected system.
This can result in data breaches, loss of data integrity, service disruption, and compromise of user privacy and system security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "seenid" parameter in the /admin/message.php file for SQL injection flaws. Attackers can exploit this parameter using boolean-based blind, error-based, or time-based SQL injection techniques.
To detect the vulnerability, you can use SQL injection testing tools or manual commands such as sending crafted HTTP requests with SQL payloads to the seenid parameter and observing the responses.
- Example curl command to test for SQL injection: curl -v "http://target/admin/message.php?seenid=1' OR '1'='1"
- Use sqlmap to automate detection: sqlmap -u "http://target/admin/message.php?seenid=1" --batch --level=5 --risk=3
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include validating and filtering all user inputs, especially the "seenid" parameter, to prevent malicious SQL code from being executed.
Implement prepared statements or parameterized queries in the /admin/message.php file to safely handle database queries.
Restrict database user permissions to the minimum necessary to reduce the impact of a potential exploit.
Monitor and block suspicious requests targeting the seenid parameter until a permanent fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in SourceCodester SUP Online Shopping 1.0 allows unauthorized access to sensitive information and potential data manipulation or deletion. Such unauthorized access and data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.
Failure to address this vulnerability could result in exposure of personal data, violating confidentiality and integrity requirements mandated by these standards, potentially leading to legal and financial consequences.