CVE-2026-9606
Description
A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in itsourcecode Courier Management System 1.0's /manage_user.php allows unauthenticated remote attackers to extract or modify database contents via the id parameter.
Vulnerability
A SQL injection vulnerability exists in itsourcecode Courier Management System version 1.0. The flaw resides in the /manage_user.php file, where the application directly concatenates the user-supplied id GET parameter into an SQL query without sanitization or validation (line 5: $user = $conn->query("SELECT * FROM users where id =".$_GET['id']);). This allows an attacker to inject arbitrary SQL commands. Affected version: 1.0. No authentication is required to reach the vulnerable endpoint [1][2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to /manage_user.php with a malicious id parameter. Example payloads include boolean-based blind, time-based blind (e.g., id=1 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))VRZs)), and UNION queries (e.g., id=-7753 UNION ALL SELECT NULL,NULL,NULL,CONCAT(...),NULL,NULL,NULL,NULL-- -). The exploit can be executed using sqlmap to automate extraction of database contents. No prior authentication or user interaction is needed [2].
Impact
Successful exploitation allows an attacker to perform unauthorized database operations, including extraction of sensitive data (e.g., user credentials, personal information), modification of data, and enumeration of the database structure. The impact is information disclosure and potential data integrity loss, with the attacker gaining access to the underlying MySQL database [2].
Mitigation
As of the published date (2026-05-27), no official patch or fixed version has been released by the vendor. Users of itsourcecode Courier Management System 1.0 should assume the software is vulnerable. Mitigation options include implementing input validation and parameterized queries on the id parameter, restricting network access to the vulnerable endpoint, and monitoring for exploitation attempts until a patch is made available [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in `/manage_user.php` allows direct concatenation of the `id` GET parameter into an SQL query."
Attack vector
An unauthenticated attacker sends a GET request to `/manage_user.php` with a malicious `id` parameter. Because the application directly concatenates the user-supplied `id` into the SQL query without sanitization, the attacker can inject SQL commands to manipulate the query [ref_id=1]. Example payloads include boolean-based blind, time-based blind (e.g., `id=1 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))VRZs)`), and UNION queries to extract data [ref_id=1]. The attack is remotely exploitable with no authentication required [ref_id=1].
Affected code
The vulnerable file is `/manage_user.php`. At line 5, the application directly concatenates the user-supplied `id` parameter into an SQL query without any sanitization or validation: `$user = $conn->query("SELECT * FROM users where id =".$_GET['id']);` [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding to separate SQL code from user input, e.g., `$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?"); $stmt->bind_param("i", $_GET['id']);` [ref_id=1]. Additionally, input validation such as casting the ID to an integer with `intval()` and minimizing database user permissions are suggested [ref_id=1]. No official patch from the vendor has been published.
Preconditions
- authNo authentication required; the vulnerable endpoint is accessible without credentials.
- networkAttacker must be able to send HTTP GET requests to the target server.
- inputThe id parameter is accepted directly from user input without sanitization.
Reproduction
1. Send a GET request to the vulnerable endpoint: `http://
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.