CVE-2026-9607

Vulnerability

A SQL injection vulnerability exists in itsourcecode Courier Management System version 1.0 in the file /parcel_list.php. The s GET parameter is not sanitized before being used in SQL queries, allowing injection of malicious SQL code. The vulnerability requires prior authentication to reach the affected function [2].

Exploitation

An attacker must first obtain valid credentials for the Courier Management System. After logging in, they can send a crafted GET request to /parcel_list.php with a malicious s parameter. Proof-of-concept payloads include time-based blind injection using SLEEP() and UNION queries to extract data. The attack is remote and does not require special network position beyond access to the application [2].

Impact

Successful exploitation allows an attacker to perform unauthorized database operations, including reading sensitive data, modifying records, and potentially gaining comprehensive control over the system. This can lead to data leakage, data tampering, and service interruption, posing a serious threat to system security and business continuity [2].

Mitigation

No official fix or patched version has been released by the vendor as of the publication date. The application should implement proper input validation and parameterized queries to prevent SQL injection. Until a fix is available, restricting access to the application and monitoring for suspicious s parameter values are recommended workarounds [2].