Skip to main content

Water Billing Management System EUVDEUVD-2026-33582

| CVE-2026-10237 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-01 cna@vuldb.com GHSA-wr8g-5fgq-6jh4
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:33 vuln.today

DescriptionCVE.org

A vulnerability was found in SourceCodester Water Billing Management System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user of the component User Management Module. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

AnalysisAI

SQL injection in SourceCodester Water Billing Management System 1.0 exposes the User Management Module to database manipulation by authenticated administrators via the ID parameter at /admin/?page=user/manage_user. A publicly available proof-of-concept exploit exists per the CVSS E:P supplemental metric and a researcher's GitHub advisory. Despite network reachability, practical impact is low across confidentiality, integrity, and availability, and exploitation is gated behind high administrative privileges, earning a CVSS 4.0 base score of 2.0.

Technical ContextAI

The affected component is the User Management Module of SourceCodester Water Billing Management System 1.0, accessible at /admin/?page=user/manage_user. The vulnerability is rooted in CWE-74 (Injection), specifically an SQL injection subclass, where the ID query parameter is concatenated into a database query without parameterization or input sanitization. This allows an attacker to alter the SQL statement's logic, potentially reading unauthorized rows, modifying records, or causing minor disruption to database state. No CPE strings were provided in source data; the affected product and version are drawn from NVD and VulDB reporting. The application appears to be a PHP-based open-source utility distributed via SourceCodester (https://www.sourcecodester.com/).

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary recommended remediation is to apply parameterized queries or prepared statements to all database-interacting endpoints, specifically replacing the vulnerable ID parameter handling in /admin/?page=user/manage_user - this eliminates the injection root cause but requires source code modification. As a compensating control, restrict admin panel access (/admin/) to trusted IP ranges or require VPN access, reducing the network attack surface; note this does not fix the vulnerability and will not prevent insider abuse. Deploying a web application firewall with SQL injection signature rules targeting the ID parameter can block known PoC payloads but may be bypassed by obfuscated variants. Enforce strong, unique administrative credentials and disable shared admin accounts to raise the bar for credential-based exploitation. Refer to the researcher advisory at https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md and VulDB entry https://vuldb.com/vuln/367516 for technical detail.

Share

EUVD-2026-33582 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy