SourceCodester Simple Inventory System CVE-2025-11610
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in SourceCodester Simple Inventory System 1.0. This issue affects some unknown processing of the file /brand.php. The manipulation of the argument editBrandName results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
SQL injection in SourceCodester Simple Inventory System 1.0 via the editBrandName parameter in /brand.php allows authenticated remote attackers to manipulate database queries with low confidentiality, integrity, and availability impact. The CVSS 2.1 score reflects limited scope (authenticated access required, low impact to CIA triad), but publicly available exploit code exists despite minimal real-world exploitation probability (EPSS 0.03%, 8th percentile).
Technical ContextAI
The vulnerability exists in PHP-based inventory management software where user-supplied input from the editBrandName parameter is improperly sanitized before being passed to SQL queries in the /brand.php file. This is a classic improper neutralization of special elements used in an SQL command (CWE-74), likely caused by missing input validation or parameterized query implementation. The CPE cpe:2.3:a:codeastro:simple_inventory_system:1.0 confirms this affects the SourceCodester Simple Inventory System version 1.0 developed by Code Astro. The attack vector is network-based but requires prior authentication (PR:L in CVSS 4.0 vector), limiting the initial access requirement.
RemediationAI
Apply the latest security patch or upgrade from SourceCodester; version information for patched releases is not confirmed in available data, so contact the vendor via https://www.sourcecodester.com/ for the next available maintenance release. If patching is unavailable, immediately restrict access to /brand.php to trusted IP ranges and implement Web Application Firewall rules to block SQL injection patterns in the editBrandName parameter (e.g., blocking single quotes, UNION keywords, stacked queries). Additionally, enforce parameterized queries (prepared statements) in the application code to prevent SQL injection entirely, and disable database error messages from displaying to end users to reduce information leakage. Reduce the number of authenticated users with access to the brand management function to further limit the attack surface.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today