CVE-2026-10237

Vulnerability

A SQL injection vulnerability exists in SourceCodester Water Billing Management System version 1.0, specifically in the User Management Module. The /admin/?page=user/manage_user endpoint fails to properly sanitize the ID parameter, allowing an attacker to inject arbitrary SQL queries. The issue is present in the unmodified version 1.0 as provided by SourceCodester [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. By sending a crafted HTTP request to the vulnerable endpoint with a malicious ID parameter, the attacker can manipulate the underlying SQL query. The exploit has been publicly disclosed, providing a working proof-of-concept that demonstrates the injection technique.

Impact

Successful exploitation allows an attacker to read, modify, or delete database records, potentially leading to information disclosure of sensitive data such as user credentials and billing information. The attacker gains full access to the database with the privileges of the web application user, which may allow further compromise of the system.

Mitigation

As of the publication date (2026-06-01), no official patch or fixed version has been released by SourceCodester for this vulnerability. The vendor has not acknowledged the issue in the available reference [1]. Users are advised to implement input validation and parameterized queries as a workaround, or consider migrating to alternative billing management software. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.