CVE-2026-36945

Vulnerability

Analysis

The Sourcecodester Computer and Mobile Repair Shop Management System v1.0 contains a SQL injection vulnerability in the file /rsms/admin/clients/manage_client.php. The id parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands [1]. The application is built on PHP 8.1 with a MySQL backend, and the vulnerability was confirmed using a union-based injection payload that extracts database metadata [1].

Exploitation

An attacker can exploit this flaw by sending a crafted GET request to the vulnerable endpoint. The proof-of-concept payload -2' union select 1,database(),3,4,5,6,7,8,9,10--+ demonstrates the ability to retrieve the database name (rsms_db) by manipulating the id parameter [1]. No authentication is required beyond the default admin credentials (admin/admin123) provided in the reference, though the vulnerability may be exploitable without authentication if the endpoint is accessible [1]. The attack requires only network access to the application.

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, including user credentials, client data, and repair records. The CVSS v3 base score of 2.7 reflects the low severity due to the need for authenticated access in the default configuration, but the impact could be higher if the endpoint is exposed without authentication [1].

Mitigation

As of the publication date (2026-04-13), no official patch has been released by Sourcecodester. The vendor page remains active, but the application may be end-of-life or unsupported [1]. Users should apply input validation and parameterized queries to the id parameter, restrict access to the admin panel, and consider migrating to a supported solution.