CVE-2026-10263
Description
SQL injection in SourceCodester Computer Repair Shop Management System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the id parameter in manage_product.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceCodester Computer Repair Shop Management System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the id parameter in manage_product.php.
Vulnerability
The Computer Repair Shop Management System in PHP/OOP Free Source Code v1.0 contains a SQL injection vulnerability in the file /admin/products/manage_product.php. The id parameter is directly concatenated into SQL statements without prepared statements or input validation, allowing attacker-controlled input to alter query logic. [1]
Exploitation
An unauthenticated remote attacker can send a crafted HTTP request to the vulnerable endpoint with a malicious id parameter. The exploit has been publicly disclosed and can be automated using tools like sqlmap, which confirmed the injection and demonstrated database enumeration. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to disclosure of sensitive database contents (e.g., user credentials, repair records), modification or deletion of data, and potential escalation to further attacks on the underlying system. [1]
Mitigation
As of the publication date, no official patch has been released. Users should apply input validation and parameterized queries to the affected file, or restrict network access to the admin panel until a fix is available. The vendor has not yet provided an update. [1]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input from the `id` parameter is directly concatenated into SQL statements without prepared statements, safe parameter binding, or strict input validation."
Attack vector
An unauthenticated remote attacker sends a crafted GET request to `/admin/products/manage_product.php` with a malicious `id` parameter. Because the input is directly interpolated into the SQL query, the attacker can inject SQL control characters (e.g., a single quote) to alter the query logic. The advisory confirms that sqlmap successfully exploited this using boolean-based blind, error-based, and time-based blind techniques, and enumerated 17 databases [ref_id=1]. No authentication or prior access is required.
Affected code
The vulnerability resides in `/admin/products/manage_product.php` at line 5. The `id` parameter from `$_GET['id']` is directly concatenated into a SQL query without any sanitization or prepared statements. The vulnerable sink is: `$qry = $conn->query("SELECT * from product_list where id = '{$_GET['id']}' ");` [ref_id=1]
What the fix does
The advisory recommends using prepared statements with parameter binding, implementing strict input validation and whitelisting, and applying the principle of least privilege to the database account [ref_id=1]. No official patch is provided in the bundle. The root cause is that user-supplied input from the `id` parameter is directly concatenated into SQL statements without prepared statements, safe parameter binding, or strict input validation [ref_id=1].
Preconditions
- networkThe vulnerable endpoint must be reachable over the network (default installation).
- authNo authentication or authorization is required.
- inputThe attacker must be able to send HTTP GET requests to the server.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.