SourceCodester: 17 Vulnerabilities Disclosed, Including SQLi and SSRF with Public Exploits

Key findings

• 17 vulnerabilities disclosed across multiple SourceCodester applications between May 29 and June 2, 2026.
• High-severity SQL injection flaws affect Hospital Records, Water Billing, and Computer Repair Shop systems.
• Server-Side Request Forgery (SSRF) and improper authorization vulnerabilities also disclosed.
• Multiple applications, including Pharmacy Sales and Inventory System, have several disclosed flaws.
• Public exploit code is available for many of the disclosed vulnerabilities, increasing immediate risk.
• No official patches were immediately available from SourceCodester at the time of disclosure.

A significant cluster of 17 vulnerabilities impacting multiple SourceCodester applications was disclosed between May 29 and June 2, 2026. The disclosures include critical flaws such as SQL injection and Server-Side Request Forgery (SSRF), with public exploit code available for many of them, raising immediate concerns for users of these systems.

Several applications are affected by multiple vulnerabilities. The SourceCodester Pharmacy Sales and Inventory System 1.0 is particularly impacted, with five separate vulnerabilities disclosed, including four instances of Cross-Site Scripting (XSS) and one CSV injection. These flaws affect functions related to medicine and supplier creation, as well as sales statements.

SQL injection vulnerabilities are a prominent theme within this batch. The SourceCodester Hospitals Patient Records Management System 1.0 has two high-severity SQL injection flaws in its user management functions (/classes/Users.php?f=save and /classes/Users.php?f=delete), both allowing remote exploitation. Similarly, the SourceCodester Water Billing Management System 1.0 also suffers from a high-severity SQL injection vulnerability in its user management module (/admin/?page=user/manage_user). Another SQL injection vulnerability was found in SourceCodester Computer Repair Shop Management System 1.0 affecting product management.

Beyond SQL injection, other critical vulnerabilities include Server-Side Request Forgery (SSRF) in SourceCodester SEO Meta Tag Extractor 1.0 (/index.php), allowing remote attacks via manipulation of the 'url' argument. Improper authorization is also a concern in the SourceCodester Water Billing Management System 1.0, stemming from a vulnerability in its user management endpoint (/classes/Users.php?f=save). File inclusion vulnerabilities were identified in SourceCodester Pizzafy Ecommerce System 1.0, affecting both the main index and admin index files.

File and directory information exposure is another vulnerability present in SourceCodester Pet Grooming Management Software 1.0, impacting an unknown function within the admin directory. Denial of Service (DoS) vulnerabilities were found in SourceCodester Customer Review App 1.0, affecting the add_review, save_review, and get_all_reviews functions within review_app.py, though these require local access.

Notably, related coverage from Vypr Intelligence highlights that eight SQL injection CVEs across five code-projects applications were disclosed within a 48-hour window, with public exploit code available for all. While this specific batch includes vulnerabilities from various SourceCodester applications, the pattern of public exploits for SQLi flaws is a recurring concern.

As of the disclosure window, no official patches or vendor advisories from SourceCodester were immediately apparent for these vulnerabilities. Users of the affected applications, including Pizzafy Ecommerce System, Customer Review App, SEO Meta Tag Extractor, Computer Repair Shop Management System, Pharmacy Sales and Inventory System, Pet Grooming Management Software, Water Billing Management System, and Hospitals Patient Records Management System, are urged to seek updates or implement mitigating controls where possible. The presence of public exploits for numerous high and medium severity flaws necessitates immediate attention to mitigate the risk of active exploitation.