Skip to main content

Online Book Store System

4 CVEs product

Monthly

CVE-2026-15540 LOW POC Monitor

Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.

Information Disclosure LFI PHP Online Book Store System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15539 LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15537 MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15532 LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Book Store System 1.0 allows a high-privileged authenticated attacker to inject malicious script payloads via the Name or Username fields in the User Management Module, which then execute in the browsers of other users who view the affected page. A publicly available proof-of-concept exploit exists, documented in a Medium article specifically demonstrating authenticated stored XSS in this module. This is not confirmed in the CISA KEV catalog, and real-world impact is constrained by the niche, educational nature of the affected software and the requirement for administrative credentials to inject payloads.

XSS Online Book Store System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW POC Monitor

Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Book Store System 1.0 allows a high-privileged authenticated attacker to inject malicious script payloads via the Name or Username fields in the User Management Module, which then execute in the browsers of other users who view the affected page. A publicly available proof-of-concept exploit exists, documented in a Medium article specifically demonstrating authenticated stored XSS in this module. This is not confirmed in the CISA KEV catalog, and real-world impact is constrained by the niche, educational nature of the affected software and the requirement for administrative credentials to inject payloads.

XSS Online Book Store System
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy