Skip to main content

code-projects Inventory Management System CVE-2026-7070

| EUVDEUVD-2026-25746 MEDIUM
SQL Injection (CWE-89)
2026-04-27 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 27, 2026 - 01:29 vuln.today
Severity Changed
Apr 27, 2026 - 01:22 NVD
HIGH MEDIUM
CVSS changed
Apr 27, 2026 - 01:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 27, 2026 - 01:15 euvd
EUVD-2026-25746
Analysis Generated
Apr 27, 2026 - 01:15 vuln.today
CVE Published
Apr 27, 2026 - 00:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in code-projects Inventory Management System 1.0. Affected is an unknown function of the component Login. Executing a manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

SQL injection in code-projects Inventory Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component, leading to unauthorized database access and potential data exfiltration. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting low confidentiality, integrity, and availability impact without scope expansion. EPSS data unavailable, but public exploit availability elevates practical risk.

Technical ContextAI

The vulnerability stems from CWE-89 (SQL Injection), specifically improper neutralization of special elements used in a SQL command. The affected component is the Login function, where the Username parameter is passed directly to a database query without adequate input validation or parameterized query enforcement. The attack vector is network-based (AV:N), attack complexity is low (AC:L), and no authentication (PR:N) or user interaction (UI:N) is required, meaning the SQL injection can be triggered by sending a crafted HTTP request containing SQL metacharacters in the Username field. This is a classic first-order SQL injection vulnerability typical of legacy web applications lacking input sanitization.

RemediationAI

Upgrade to a patched version of code-projects Inventory Management System if available from https://code-projects.org/. If no patched version is available, implement immediate compensating controls: (1) Apply input validation to the Username parameter using a whitelist of allowed characters (alphanumeric, underscore, hyphen only) and reject any input containing SQL metacharacters (quotes, semicolons, dashes, parentheses); (2) Implement parameterized queries or prepared statements in the Login function to separate SQL code from user input - this is the most effective mitigation and should be the primary code-level fix; (3) Restrict network access to the Login component using a Web Application Firewall (WAF) with SQL injection detection rules, blocking requests containing common SQL injection patterns such as UNION, SELECT, or comment sequences; (4) Enable database-level access controls, restricting the application's database user to read-only permissions if the application does not require write access to user tables; (5) Monitor database query logs for suspicious patterns (e.g., multiple failed login attempts, queries with unusual syntax). These controls have varying trade-offs: input validation is fast but bypassable; parameterized queries are slow but eliminate the vulnerability; WAF rules add latency but provide defense-in-depth; database permissions limit damage but may break legitimate functionality if misconfigured.

CVE-2023-4749 CRITICAL POC
9.8 Sep 04

A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated cr

CVE-2023-4558 CRITICAL POC
9.8 Aug 27

A vulnerability classified as critical was found in SourceCodester Inventory Management System 1.0. Rated critical sever

CVE-2023-4436 CRITICAL POC
9.8 Aug 20

A vulnerability, which was classified as critical, has been found in SourceCodester Inventory Management System 1.0.php.

CVE-2023-4201 CRITICAL POC
9.8 Aug 07

A vulnerability was found in SourceCodester Inventory Management System 1.0 and classified as critical.php. Rated critic

CVE-2023-4200 CRITICAL POC
9.8 Aug 07

A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Rated criti

CVE-2023-46449 HIGH POC
8.8 Oct 26

Sourcecodester Free and Open Source inventory management system v1.0 is vulnerable to Incorrect Access Control. Rated hi

CVE-2023-4449 HIGH POC
8.8 Aug 21

A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. Rated high severity (C

CVE-2023-4199 HIGH POC
7.5 Aug 07

A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated hi

CVE-2023-4557 CRITICAL
9.8 Aug 27

A vulnerability classified as critical has been found in SourceCodester Inventory Management System 1.0. Rated critical

CVE-2023-4438 CRITICAL
9.8 Aug 20

A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Rated criti

CVE-2023-4437 CRITICAL
9.8 Aug 20

A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Rated cr

CVE-2023-4184 CRITICAL
9.8 Aug 06

A vulnerability was found in SourceCodester Inventory Management System 1.0 and classified as critical.php. Rated critic

Share

CVE-2026-7070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy