Skip to main content

Computer Repair Shop CVE-2026-10263

| EUVDEUVD-2026-33645 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-01 cna@vuldb.com GHSA-j9qv-7qrv-x4g8
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:35 vuln.today

DescriptionCVE.org

A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manage_product.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

AnalysisAI

SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.

Technical ContextAI

The affected application is a PHP-based web management system built on SourceCodester's platform (sourcecodester.com), targeted at small repair shop operations. The vulnerable endpoint /admin/products/manage_product.php accepts an 'ID' parameter that is passed unsanitized into a backend SQL query, consistent with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection), the parent class covering SQL injection. This class of vulnerability arises when user-controlled input is concatenated directly into SQL query strings without parameterized queries or prepared statements. No CPE string was provided, but the affected version is confirmed as up to and including 1.0. The PHP tag confirms server-side scripting is the delivery mechanism.

RemediationAI

No vendor-released patch has been identified at the time of analysis - the vulnerability was reported via a GitHub issue (https://github.com/gxcyyjy/CVE/issues/4) and VulDB (https://vuldb.com/vuln/367543) without an associated upstream fix or tagged release. Developers should remediate by replacing any dynamic SQL string concatenation in manage_product.php with parameterized queries or prepared statements (e.g., PDO with bindParam), which eliminates the injection vector at the root cause. As compensating controls, restrict access to the /admin/ directory to trusted IP ranges via web server configuration (e.g., Apache 'Require ip' or nginx 'allow/deny'), which limits network-wide unauthenticated exposure at the cost of operational flexibility for remote administrators. Input validation on the ID parameter (enforce integer type) should be applied as a secondary defense but is not a substitute for parameterized queries. Web application firewall rules blocking common SQL injection patterns (OR 1=1, UNION SELECT, etc.) can reduce opportunistic exploitation but are bypassable by determined attackers.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-10263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy