CVE-2026-10235

Vulnerability

A SQL injection vulnerability exists in CodeAstro Ingredients Stock Management System version 1.0 [1]. The flaw resides in the file /Ingredients-Stock/stock_manager.php, where the txt_search_category argument is unsafely incorporated into a SQL query. No authentication or special configuration is required to reach the vulnerable code path; the parameter is processed when the stock management page is accessed.

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to the affected endpoint with malicious SQL payloads in the txt_search_category parameter. The exploit has been publicly published, lowering the barrier for potential attackers. No user interaction or prior authentication is needed.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized reading, modification, or deletion of data, including sensitive information such as user credentials and inventory records. The attacker may also escalate privileges or compromise the entire application.

Mitigation

As of the publication date (2026-06-01), no official patch or fixed version has been released by CodeAstro [1]. The vendor's website does not mention any update addressing this vulnerability. Until a fix is available, administrators should implement input validation and parameterized queries, or restrict network access to the vulnerable endpoint. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.