code-projects Pharmacy Management System add_new_supplier.php sql injection
Description
A vulnerability classified as critical was found in code-projects Pharmacy Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add_new_supplier.php. The manipulation of the argument name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in Pharmacy Management System 1.0 via unsanitized name parameter in /add_new_supplier.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /add_new_supplier.php endpoint, where the name parameter is not properly sanitized before being used in SQL queries. An attacker can inject arbitrary SQL commands through a GET request to this endpoint. The vulnerability is unpatched as of the publication date [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By crafting a malicious GET request to /add_new_supplier.php with a manipulated name parameter containing SQL injection payloads, the attacker can execute arbitrary SQL commands. The provided proof-of-concept demonstrates a time-based blind injection technique using AND 1087=1087 to confirm the injection point [2]. No special privileges or user interaction are required.
Impact
Successful exploitation allows an attacker to extract sensitive data from the database, including supplier details and potentially other application data. The attacker can also modify or delete database records, leading to data integrity loss and potential disruption of operations. Given the critical severity, this could lead to full database compromise [2].
Mitigation
No official patch has been released by the vendor as of the publication date. The vendor website (code-projects.org) does not provide a security update or advisory for this version [1]. Users should consider disabling the vulnerable endpoint or implementing input validation and parameterized queries as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `name` parameter in `/php/add_new_supplier.php` allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/add_new_supplier.php` with a malicious `name` parameter containing SQL syntax [ref_id=1]. The payload is injected directly into a SQL query without sanitization, enabling the attacker to execute arbitrary SQL commands [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required beyond a valid session cookie [ref_id=1].
Affected code
The vulnerable endpoint is `/php/add_new_supplier.php` in the Pharmacy Management System 1.0 [ref_id=1]. The `name` parameter passed via GET request is not sanitized before being used in a SQL query, allowing injection of arbitrary SQL commands [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory states the issue is "Unpatched" and recommends immediate remediation to prevent database compromise [ref_id=1]. A proper fix would involve parameterized queries or prepared statements to ensure user-supplied input like the `name` parameter is never concatenated directly into SQL statements.
Preconditions
- networkThe attacker must be able to reach the web application over HTTP.
- authA valid PHP session cookie (PHPSESSID) is required.
- inputThe `name` parameter is accepted via GET request without sanitization.
Reproduction
Send a GET request to `/php/add_new_supplier.php` with a `name` parameter containing a SQL injection payload, for example: `name=aaaa' AND 1087=1087 AND 'DBIs'='DBIs`. The full request URL shown in the PoC is: `GET /php/add_new_supplier.php?name=aaaa'%20AND%201087%3d1087%20AND%20'DBIs'%3d'DBIs%26email%3daa%40contato.com.br%26contact_number%3d1234567890%26address%3d321321321321adsadsadsa%20%20dsadsadsa` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/155be99b5314d97b276a7b30b9e6dec0mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.