Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A weakness has been identified in code-projects Inventory Management System 1.0. Affected is an unknown function of the component Login. Executing a manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
SQL injection in code-projects Inventory Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component, leading to unauthorized database access and potential data exfiltration. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting low confidentiality, integrity, and availability impact without scope expansion. EPSS data unavailable, but public exploit availability elevates practical risk.
Technical ContextAI
The vulnerability stems from CWE-89 (SQL Injection), specifically improper neutralization of special elements used in a SQL command. The affected component is the Login function, where the Username parameter is passed directly to a database query without adequate input validation or parameterized query enforcement. The attack vector is network-based (AV:N), attack complexity is low (AC:L), and no authentication (PR:N) or user interaction (UI:N) is required, meaning the SQL injection can be triggered by sending a crafted HTTP request containing SQL metacharacters in the Username field. This is a classic first-order SQL injection vulnerability typical of legacy web applications lacking input sanitization.
RemediationAI
Upgrade to a patched version of code-projects Inventory Management System if available from https://code-projects.org/. If no patched version is available, implement immediate compensating controls: (1) Apply input validation to the Username parameter using a whitelist of allowed characters (alphanumeric, underscore, hyphen only) and reject any input containing SQL metacharacters (quotes, semicolons, dashes, parentheses); (2) Implement parameterized queries or prepared statements in the Login function to separate SQL code from user input - this is the most effective mitigation and should be the primary code-level fix; (3) Restrict network access to the Login component using a Web Application Firewall (WAF) with SQL injection detection rules, blocking requests containing common SQL injection patterns such as UNION, SELECT, or comment sequences; (4) Enable database-level access controls, restricting the application's database user to read-only permissions if the application does not require write access to user tables; (5) Monitor database query logs for suspicious patterns (e.g., multiple failed login attempts, queries with unusual syntax). These controls have varying trade-offs: input validation is fast but bypassable; parameterized queries are slow but eliminate the vulnerability; WAF rules add latency but provide defense-in-depth; database permissions limit damage but may break legitimate functionality if misconfigured.
More in Inventory Management System
View allA vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated cr
A vulnerability classified as critical was found in SourceCodester Inventory Management System 1.0. Rated critical sever
A vulnerability, which was classified as critical, has been found in SourceCodester Inventory Management System 1.0.php.
A vulnerability was found in SourceCodester Inventory Management System 1.0 and classified as critical.php. Rated critic
A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Rated criti
Sourcecodester Free and Open Source inventory management system v1.0 is vulnerable to Incorrect Access Control. Rated hi
A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. Rated high severity (C
A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated hi
A vulnerability classified as critical has been found in SourceCodester Inventory Management System 1.0. Rated critical
A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Rated criti
A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated cr
A vulnerability was found in SourceCodester Inventory Management System 1.0 and classified as critical.php. Rated critic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25746