CVE-2026-37341

Vulnerability

Overview

CVE-2026-37341 describes a SQL injection vulnerability in SourceCodester Vehicle Parking Area Management System v1.0. The flaw resides in the /parking/manage_category.php script, where the id parameter is directly concatenated into SQL queries without proper sanitization or parameterization. This allows an attacker to inject arbitrary SQL commands, as demonstrated by the payload 0 union select 1,database(),3--+ which retrieves the database name [1].

Exploitation

Details

The vulnerability is exploitable via a simple GET request to /parking/manage_category.php?id=<payload>. No authentication is required, as the provided proof-of-concept uses a session cookie from a default admin account (admin/admin123), but the injection itself does not depend on prior authentication. The attacker only needs network access to the vulnerable endpoint. The injection point is the id parameter, and the database name parking_db is leaked in the response [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the underlying MySQL database, including user credentials, parking records, and other application data. The attacker can also potentially modify or delete data, escalate privileges, or gain further access to the server, depending on database permissions. The CVSS v3 score of 7.2 (High) reflects the ease of exploitation and the potential for significant data compromise.

Mitigation

As of the publication date (2026-04-16), no official patch has been released by SourceCodester. Users are advised to apply input validation and parameterized queries to the affected file, or to restrict access to the /parking/ directory until a vendor update is available. The vulnerability has been publicly disclosed with a working exploit, increasing the risk of active exploitation.