CVE-2026-37342

Vulnerability

Overview

CVE-2026-37342 describes a SQL injection vulnerability in SourceCodester Vehicle Parking Area Management System v1.0. The flaw resides in the /parking/view_parked_details.php file, where the id parameter is directly concatenated into SQL queries without proper sanitization or parameterization. An attacker can inject arbitrary SQL commands via the id parameter, as demonstrated by a UNION-based payload that retrieves database metadata [1].

Exploitation

Details

Exploitation requires no authentication; the vulnerable endpoint is accessible to unauthenticated users. The attacker sends a GET request to /parking/view_parked_details.php?id=<payload>. The provided proof-of-concept uses a UNION SELECT statement to extract the database name (parking_db) and other data from the underlying MySQL database. The application runs on XAMPP with PHP 8.1, and the default admin credentials (admin/admin123) are not required for this attack vector [1].

Impact

Successful exploitation allows an attacker to read arbitrary data from the database, including sensitive information such as user credentials, parking records, and other application data. The SQL injection can also be leveraged to bypass authentication, modify data, or potentially achieve remote code execution depending on database permissions. The CVSS v3 score of 7.2 (High) reflects the ease of exploitation and the potential for significant data compromise.

Mitigation

As of the publication date (2026-04-16), no official patch has been released by SourceCodester. Users are advised to apply input validation and parameterized queries to the id parameter, or to restrict access to the vulnerable endpoint until a fix is available. The vendor's website provides the source code, allowing developers to implement their own sanitization [1].