CVE-2026-14690
Received Received - Intake

Improper Authorization in Multi-Vendor Online Grocery Management System

Vulnerability report for CVE-2026-14690, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester multi-vendor_online_grocery_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14690 vulnerability affects the Multi-Vendor Online Grocery Management System version 1.0. It exists in the save_users function within the classes/Users.php file, where the function improperly handles authorization.

Specifically, the function uses extract($_POST) to convert all POST parameters into local variables and builds a SQL INSERT statement without excluding sensitive fields like 'type'. This allows an unauthenticated attacker to send a crafted POST request with 'type=1' to the endpoint '?f=save' and create a new user with administrator privileges.

The application's authentication checks are only at the page layer, not at the class endpoint level, enabling remote exploitation and full system compromise.

Impact Analysis

Exploitation of this vulnerability allows an attacker to create administrator accounts without authentication, granting immediate access to the admin panel.

  • Full control over product, order, and vendor management.
  • Access to system settings.

Furthermore, this vulnerability can be chained with another flaw in classes/SystemSettings.php to achieve remote code execution on the server, potentially leading to complete system takeover.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `?f=save` that include the parameter `type=1`, which is used to create administrator accounts without proper authentication.

A practical detection method is to inspect web server logs or use network monitoring tools to identify such suspicious POST requests targeting the `save_users` function.

  • Use command-line tools like curl to simulate or detect exploit attempts: `curl -X POST -d "type=1&username=attacker&password=pass" http://yourserver/?f=save`
  • Check web server access logs for POST requests containing `type=1` to the `?f=save` endpoint: `grep "POST.*\?f=save" /var/log/apache2/access.log | grep "type=1"`
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on such suspicious POST requests.
Mitigation Strategies

Immediate mitigation steps include enforcing authentication on all API endpoints, especially the `save_users` function, to prevent unauthorized access.

Additionally, implement input validation by whitelisting allowed POST fields and separating privilege-sensitive fields like `type` from user-controlled input.

If possible, restrict access to the vulnerable endpoint at the network or application firewall level until a patch or fix is applied.

Review and update the application to ensure that privilege escalation cannot occur through manipulation of POST parameters.

Compliance Impact

The vulnerability allows unauthenticated attackers to create administrator accounts and gain full system compromise, including access to sensitive management functions and potentially remote code execution. Such unauthorized access and control over the system could lead to unauthorized disclosure, alteration, or destruction of personal and sensitive data.

This level of unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information, as well as measures to prevent unauthorized access and ensure data integrity and confidentiality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart