CVE-2026-5636

Root

Cause A SQL injection vulnerability has been discovered in the PHPGurukul Online Shopping Portal Project version 2.1, specifically within the /cancelorder.php file. The vulnerability resides in the Parameter Handler component. The application fails to properly sanitize or validate user input supplied through the oid parameter prior to its use in SQL queries [2]. This oversight allows an attacker to inject arbitrary SQL code into the query [1].

Exploitation

Exploitation can be initiated remotely and does not require authentication [1]. A time-based blind SQL injection payload has been demonstrated by a security researcher, using the oid parameter in a GET request with a crafted value like 6' RLIKE SLEEP(5)-- VAsx [2]. This confirms that an attacker can infer the success of injection by observing response delays, even in the absence of direct error output. The exploit details have been made publicly available [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access to the underlying database [2]. This could lead to the leakage of sensitive data (such as user credentials or order details), data tampering, or complete compromise of the database server, potentially affecting the broader system and business operations [1].

Mitigation

The vendor, PHPGurukul, provides tutorials on secure coding practices including the use of Parameterized Statements (like PDO) to prevent SQL injection [1]. However, as of the publication date, no official patched version has been released for this specific vulnerability. The affected software is the Online Shopping Portal Project version 2.1 [2]. It is strongly recommended that users apply input validation and parameterized queries to the oid parameter in cancelorder.php as a workaround, or consider replacing the application with a maintained alternative.