VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 19 CVEs

Sourcecodester: 19 CVEs Across Six Products Disclosed in Three-Day Batch

A wave of 19 vulnerabilities spanning six Sourcecodester products — including SQL injection, XSS, CSRF, and unrestricted upload flaws — was disclosed between May 23 and May 26, 2026, with public exploits already available.

Key findings

  • 19 CVEs disclosed across six Sourcecodester products in a three-day window (May 23–26, 2026)
  • Nine SQL injection vulnerabilities dominate the batch, spanning four different products
  • Public exploit code has been released for the majority of the disclosed flaws
  • No official patches from Sourcecodester have been issued as of publication
  • One outlier CVE (CVE-2026-9393) targets an H3C Magic B0 router with a buffer overflow

A batch of 19 CVEs across six different Sourcecodester products was published between May 23 and May 26, 2026, exposing a broad swath of PHP-based web applications to SQL injection, cross-site scripting, cross-site request forgery, unrestricted file upload, and information disclosure attacks. The affected products — Hospitals Patient Records Management System 1.0, Simple POS and Inventory System 1.0, Indian Invoicing System 1.0, Student Transcript Processing System 1.0, CET Automated Grading System with AI Predictive Analytics 1.0, and SUP Online Shopping 1.0 — are widely used in educational and small-business environments, and public exploit code has been released for the majority of the flaws.

SQL injection dominates the batch. The largest cluster of vulnerabilities by class is SQL injection, with nine CVEs spread across four products. The Hospitals Patient Records Management System 1.0 accounts for three of them: CVE-2026-9356 (CVSS 7.3) in /admin/patients/manage_history.php, CVE-2026-9355 (CVSS 7.3) in /classes/Master.php?f=save_patient_history, and CVE-2026-9342 (CVSS 6.3) in /admin/patients/view_history.php — all via manipulation of the ID argument. The Student Transcript Processing System 1.0 contributes three more: CVE-2026-9575 (CVSS 7.3) in /admin/modules/class/index.php?view=view, CVE-2026-9574 (CVSS 7.3) in /admin/modules/student/trans.php, and CVE-2026-9573 (CVSS 7.3) in /admin/modules/student/index.php?view=view. The Simple POS and Inventory System 1.0 has two SQLi flaws — CVE-2026-9447 (CVSS 7.3) in /user/search.php via the Name argument, and CVE-2026-9446 (CVSS 4.7) in /admin/edit_customer.php via the ID argument — plus CVE-2026-9444 (CVSS 4.7) in /admin/deleteproduct.php. Finally, the Indian Invoicing System 1.0 contains CVE-2026-9411 (CVSS 6.3) in /Invoicing/IGST_Invoice.php via the customer_name and category arguments. All of these attacks are remotely exploitable, and public exploit code has been disclosed for each.

Cross-site scripting and other web flaws. Four XSS vulnerabilities were identified. The Hospitals Patient Records Management System 1.0 has CVE-2026-9564 (CVSS 2.4, Low) in /admin/?page=patients/view_patient via the Remarks argument. The Indian Invoicing System 1.0 contains two XSS flaws: CVE-2026-9414 (CVSS 3.5, Low) in /Invoicing/add_order.php via the customer_name argument, and CVE-2026-9413 (CVSS 4.3, Medium) in /Invoicing/category.php via the msg argument. The SUP Online Shopping 1.0 has CVE-2026-9377 (CVSS 2.4, Low) in /admin/productedit.php via the productName argument. All four are remotely exploitable with public exploits available.

Access control, CSRF, file upload, and information disclosure. The Indian Invoicing System 1.0 also suffers from an improper access control issue, CVE-2026-9412 (CVSS 6.3, Medium), affecting multiple backend endpoints. The CET Automated Grading System with AI Predictive Analytics 1.0 has two flaws: CVE-2026-9583 (CVSS 4.3, Medium) — an information exposure through error messages in the SQL handler at /index.php — and CVE-2026-9582 (CVSS 4.3, Medium), a cross-site request forgery vulnerability. The Simple POS and Inventory System 1.0 includes CVE-2026-9445 (CVSS 6.3, Medium), an unrestricted file upload in /admin/addproduct.php via the image argument. All have public exploit code available.

One outlier: H3C Magic B0 router. The batch also includes CVE-2026-9393 (CVSS 8.8, High), a buffer overflow in the H3C Magic B0 router (up to firmware version 100R002) in the Edit_BasicSSID_5G function of /goform/aspForm. While this CVE was published in the same disclosure window (May 24), it targets a networking device rather than a Sourcecodester web application. The vendor was contacted but no patch has been confirmed at the time of publication.

Patch and mitigation status. Sourcecodester has not released a coordinated security advisory for this batch. As of publication, no official patches have been issued for any of the six affected Sourcecodester products. Users of Hospitals Patient Records Management System 1.0, Simple POS and Inventory System 1.0, Indian Invoicing System 1.0, Student Transcript Processing System 1.0, CET Automated Grading System with AI Predictive Analytics 1.0, and SUP Online Shopping 1.0 should assume all default installations are vulnerable. Given that public exploit code is available for the vast majority of these CVEs, administrators are advised to restrict network access to these applications, implement web application firewall (WAF) rules to block SQLi and XSS payloads, and monitor for any vendor updates or migration guidance.

Why this batch matters. The sheer breadth of this disclosure — 19 CVEs across six products in three days, with public exploits for nearly every flaw — underscores a recurring risk pattern in the Sourcecodester ecosystem. These PHP applications are commonly deployed in schools, clinics, and small retail operations that may lack dedicated security teams. The concentration of SQL injection vulnerabilities (nine of the 19 CVEs) suggests systemic issues in how database queries are constructed across the vendor's codebase. Users should treat these products as high-risk until a coordinated patch cycle is demonstrated.

AI-written article. Grounded in 19 CVE records listed below.