SourceCodester Simple Inventory System login.php sql injection
Description
A vulnerability has been found in SourceCodester Simple Inventory System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file login.php. The manipulation of the argument username leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-265081 was assigned to this vulnerability.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in login.php allows direct SQL query concatenation of the username parameter."
Attack vector
An attacker sends a POST request to `/login.php` with a crafted `username` parameter containing SQL injection payloads, such as `admin'or%201#`. Because the input is unsanitized and directly spliced into the SQL query, the injected SQL alters the query logic, allowing authentication bypass [ref_id=1]. The attacker can then log in to the backend without knowing the correct admin password [ref_id=1].
Affected code
The vulnerability is in `login.php` of SourceCodester Simple Inventory System v1.0. The `$_POST['username']` parameter is directly concatenated into a SQL query without any sanitization or parameterization [ref_id=1].
What the fix does
No patch has been published by the vendor. The remediation recommended by the researcher is to implement security filtering or parameterized queries for the `username` parameter instead of directly splicing it into the SQL statement [ref_id=1]. Using prepared statements with bound parameters would prevent the injected SQL from altering the query structure.
Preconditions
- networkThe application must be accessible over the network via HTTP.
- authNo authentication is required; the login page is publicly reachable.
- inputThe attacker sends a POST request with a crafted username parameter.
Reproduction
1. Send a POST request to `/login.php` with the following body: `username=admin'or%201#&password=1&submit=Login` [ref_id=1]. 2. The injected SQL `'or%201#` bypasses authentication, granting access to the backend without the correct admin password [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/rockersiyuan/CVE/blob/main/SourceCodester%20Simple%20Inventory%20System%20Sql%20Inject-1.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.