CVE-2026-14691
Received Received - Intake

Code Injection in Multi-Vendor Grocery Management System

Vulnerability report for CVE-2026-14691, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function update_settings_info of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content[] leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester multi-vendor_online_grocery_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Multi-Vendor Online Grocery Management System 1.0, specifically in the function update_settings_info within the file classes/SystemSettings.php. The function accepts a POST array named content[] and writes each element directly to disk without proper validation.

An attacker can exploit this by supplying malicious PHP code in the content[welcome] parameter, which gets written to a file named welcome.html. Since the home.php file includes welcome.html using PHP's include() statement, the attacker's code executes whenever the home page is accessed.

This leads to a remote code execution (RCE) vulnerability, allowing an attacker to run arbitrary code on the server remotely.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary code on the affected server remotely, potentially gaining complete control over the host system with the privileges of the web server process.

This can lead to unauthorized access, data theft, data manipulation, service disruption, or using the compromised server as a pivot point for further attacks.

Additionally, when combined with an unauthenticated admin registration vulnerability, an attacker can perform a fully unauthenticated remote code execution attack chain with just two HTTP requests.

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the update_settings_info function, specifically looking for the presence of the content[] array with suspicious or malicious PHP code in parameters such as content[welcome].

One way to detect exploitation attempts is to inspect web server logs for POST requests containing the content[] parameter with PHP code or unusual payloads.

Additionally, checking for the presence and recent modification of the file welcome.html in the web directory can indicate exploitation, since the malicious PHP code is written there.

  • Use grep to find suspicious POST requests in web server logs: grep -i "content\[" /var/log/apache2/access.log
  • Check for recently modified welcome.html files: ls -l --time-style=full-iso /path/to/webroot/welcome.html
  • Search for PHP code inside welcome.html: grep -i "<?php" /path/to/webroot/welcome.html
Mitigation Strategies

Immediate mitigation steps include implementing a whitelist for allowed file keys in the content[] parameter to prevent arbitrary file writes.

Replace the use of PHP's include() function with file_get_contents() to avoid executing injected PHP code.

Store the content data in a database instead of writing directly to files on disk.

Restrict web server permissions to limit the ability to write files in the web root directory.

Additionally, consider patching or updating the system to a version where this vulnerability is fixed.

Compliance Impact

The vulnerability allows remote code execution, granting an attacker complete control over the host system with the privileges of the web server process. This level of unauthorized access can lead to data breaches, unauthorized data manipulation, and potential exposure of sensitive information.

Such security breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity and confidentiality.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised data security and potential data leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart