CVE-2026-11495
Description
SQL injection vulnerability in CodeAstro Ingredients Stock Management System 1.0 allows remote attackers to access, modify, or delete database data via the 'id' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in CodeAstro Ingredients Stock Management System 1.0 allows remote attackers to access, modify, or delete database data via the 'id' parameter.
Vulnerability
A SQL injection vulnerability exists in the CodeAstro Ingredients Stock Management System version 1.0, specifically within the /Ingredients-Stock/add_stock.php file. The vulnerability arises from the direct use of the id parameter in SQL queries without proper sanitization or validation, allowing for the injection of malicious SQL code [1].
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the id parameter, likely through a GET request. By injecting crafted SQL queries, an attacker can execute arbitrary SQL commands against the database. A time-based blind SQL injection payload targeting MySQL is provided as an example [1].
Impact
Successful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive database information, data tampering or deletion, and potentially comprehensive system control. This poses a significant threat to the confidentiality, integrity, and availability of the system and its data [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for information on mitigation strategies or potential workarounds. The vendor's website is available at [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The '/Ingredients-Stock/add_stock.php' file directly uses the 'id' parameter in SQL queries without proper sanitization or validation."
Attack vector
An attacker can remotely manipulate the 'id' argument in a GET request to the '/Ingredients-Stock/add_stock.php' file. By injecting malicious SQL code into this parameter, an attacker can alter the intended SQL query. This allows for unauthorized database access, data leakage, or modification, as demonstrated by a time-based blind SQL injection payload targeting the 'id' parameter [ref_id=1].
Affected code
The vulnerability resides in the '/Ingredients-Stock/add_stock.php' file within the Ingredients Stock Management System version 1.0. Specifically, the 'id' parameter is manipulated and directly incorporated into SQL queries without adequate cleaning or validation, leading to SQL injection [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection, as this method separates SQL code from user input data. Additionally, it recommends strict input validation and filtering to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised to enhance system security and protect data integrity [ref_id=1].
Preconditions
- networkThe attack can be launched remotely.
- authThe attacker has low privileges (PR:L).
- inputThe 'id' parameter is vulnerable to manipulation.
Reproduction
sqlmap -r 1.txt --batch
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Code Projects: Four SQLi Vulnerabilities Disclosed Together on June 8Vypr Intelligence · Jun 8, 2026