Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A weakness has been identified in itsourcecode Courier Management System 1.0. This affects an unknown function of the file /edit_staff.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.
Technical ContextAI
The vulnerability exists in a PHP application that handles staff editing functionality through the /edit_staff.php endpoint. The underlying issue is improper input validation on the ID parameter, which fails to sanitize or parameterize user-supplied input before passing it to SQL queries. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection') indicates the application does not properly escape or use prepared statements when constructing database queries, allowing attackers to inject arbitrary SQL commands. This is a classic SQL injection flaw in PHP web applications that do not leverage parameterized queries or object-relational mapping frameworks.
RemediationAI
Apply input validation and parameterized queries immediately: modify /edit_staff.php to use prepared statements or parameterized queries (e.g., mysqli_prepare() or PDO prepared statements in PHP) instead of string concatenation for the ID parameter. Additionally, implement strict input whitelisting-the ID parameter should only accept numeric values via regex validation or casting. If an immediate code patch is unavailable from itsourcecode, apply a Web Application Firewall (WAF) rule to block requests containing SQL keywords or special characters in the ID parameter. Update to a patched version of Courier Management System if released by the vendor. Monitor database logs for suspicious query patterns and restrict database account permissions to the minimum required by the application. Contact itsourcecode for security advisory details via https://itsourcecode.com/ or the VulDB record at https://vuldb.com/vuln/360545.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26710