CVE-2026-7731
Description
A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in BloodBank Managing System 1.0's get_state.php allows unauthenticated remote attackers to extract database contents.
The vulnerability is an SQL injection in the get_state.php file of code-projects BloodBank Managing System 1.0. The G_STATE_ID parameter is directly concatenated into an SQL query without sanitization, allowing an attacker to inject arbitrary SQL commands [1].
No authentication is required; the vulnerable endpoints are publicly accessible. An attacker can send a crafted POST request with G_STATE_ID containing a UNION SELECT payload to retrieve data from the database. The response is reflected in HTML <option> tags, making extraction straightforward [1].
Successful exploitation allows an attacker to read arbitrary database contents, including user credentials and other sensitive information. The PoC demonstrates retrieving the MySQL version and database name [1].
The vendor has not released a patch; users should consider the system compromised if exposed. The exploit is publicly disclosed and may be used in attacks [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.