CVE-2026-37344

Vulnerability

Overview

CVE-2026-37344 describes a SQL Injection vulnerability in SourceCodester Vehicle Parking Area Management System v1.0. The flaw resides in the file /parking/manage_location.php, where the id parameter is directly concatenated into SQL queries without proper sanitization or parameterization [1]. This allows an attacker to inject arbitrary SQL commands.

Exploitation

Details

An attacker must first authenticate to the application; the default credentials admin/admin123 are provided in the reference [1]. Once logged in, the attacker can send a crafted GET request to /parking/manage_location.php?id=0%20union%20select%201,database(),3,4--+ to exploit the vulnerability. The injection point is the id parameter, and the attack does not require any special network position beyond access to the web interface [1].

Impact

Successful exploitation enables an attacker to retrieve sensitive information from the underlying MySQL database, such as the database name (parking_db), and potentially other tables containing user credentials, parking records, or application data. The vulnerability is classified as High severity with a CVSS v3 score of 7.2, indicating significant confidentiality impact [1].

Mitigation

As of the publication date (April 16, 2026), no official patch has been released by SourceCodester. Users should apply input validation and parameterized queries to the affected endpoint, or restrict access to the management interface until a vendor update is available [1].