CVE-2026-15537
Received Received - Intake

SQL Injection in SourceCodester Online Book Store System

Vulnerability report for CVE-2026-15537, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_book_store_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in the administrative login page allows attackers to bypass authentication and gain unauthorized access to sensitive administrative functions and data. This unauthorized access can lead to exposure or manipulation of personal and sensitive information, which may violate data protection requirements under regulations such as GDPR and HIPAA.

Specifically, the compromise of administrative controls and data integrity can result in non-compliance with standards that mandate strict access controls, data confidentiality, and integrity protections. Organizations using the affected system may face increased risk of data breaches, regulatory penalties, and loss of trust if this vulnerability is exploited.

Mitigation measures such as using prepared statements, input validation, and secure coding practices are essential to maintain compliance with these regulations by preventing unauthorized data access.

Executive Summary

This vulnerability is a SQL Injection flaw found in the admin login page of the SourceCodester Online Book Store System 1.0, specifically in the admin/login.php file. It occurs because the Username input is not properly sanitized or parameterized before being used in SQL queries. An attacker can manipulate the Username argument with malicious SQL code to bypass authentication checks.

By injecting SQL code such as ' OR 1=1 -- -, an attacker can trick the system into granting access without valid credentials, effectively bypassing the login process.

Impact Analysis

Exploiting this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the administrative dashboard of the application.

  • Full compromise of administrative controls.
  • Unauthorized access to sensitive data.
  • Potential takeover of the entire system.
Detection Guidance

This vulnerability can be detected by testing the administrative login page for SQL injection flaws. One common method is to input a malicious payload such as ' OR 1=1 -- - into the username field and observe if authentication is bypassed.

Network or system detection can involve monitoring for unusual login attempts or suspicious SQL injection patterns targeting the admin/login.php endpoint.

  • Use curl or similar tools to send a crafted login request with a payload like: curl -d "Username=' OR 1=1 -- -&Password=anything" http://targetsite/admin/login.php
  • Check web server logs for repeated failed or suspicious login attempts containing SQL injection payloads.
Mitigation Strategies

Immediate mitigation steps include implementing prepared statements and parameterized queries to prevent SQL injection.

Strict input validation should be enforced on all user inputs, especially the Username field in admin/login.php.

Conduct secure code reviews to identify and fix injection vulnerabilities.

Additionally, enforce modern password hashing and consider restricting access to the administrative login page.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart