Simple Inventory System
CVE-2025-11611
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in SourceCodester Simple Inventory System 1.0. Impacted is an unknown function of the file /user.php. This manipulation of the argument uemail causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in SourceCodester Simple Inventory System 1.0 via the uemail parameter in /user.php allows authenticated remote attackers to manipulate database queries with low impact. CVSS 2.1 reflects the low severity due to authentication requirement and limited scope, but a public exploit exists and EPSS percentile of 8% indicates below-average real-world exploitation likelihood despite POC availability.
Technical ContextAI
Simple Inventory System 1.0 is a PHP-based web application (CPE: cpe:2.3:a:codeastro:simple_inventory_system:1.0) containing a SQL injection vulnerability classified as CWE-74 (Improper Neutralization of Special Elements used in an Output ('Injection')). The vulnerability exists in the /user.php endpoint where the uemail parameter is passed unsanitized into SQL queries without proper input validation or parameterized statement use. This is a classic implementation flaw in PHP applications that fail to escape or use prepared statements for user-controlled input before database operation.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation requires upgrading to a patched version if available from SourceCodester or transitioning to an alternative inventory management system. If upgrade is not immediately feasible, apply input validation and output encoding: use parameterized queries (prepared statements) for all database operations in /user.php, validate uemail parameter against a strict email format regex, and implement Web Application Firewall (WAF) rules to block SQL injection payloads (keywords: UNION, SELECT, DROP, etc. in user input). Restrict direct access to /user.php to trusted IP ranges and enforce multi-factor authentication for administrative accounts. These controls reduce exploitability but do not eliminate the underlying code defect. Contact SourceCodester (www.sourcecodester.com) for security patch availability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today