CVE-2026-4780

A vulnerability was detected in SourceCodester Sales and Inventory System 1.0. Impacted is an unknown function of the file update_out_standing.php of the component HTTP GET Parameter Handler. Performing a manipulation of the argument sid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
References
Link Resource
https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-UpdateOutStanding-sid.md Exploit Third Party Advisory
https://vuldb.com/?ctiid.352798 Permissions Required VDB Entry
https://vuldb.com/?id.352798 Third Party Advisory VDB Entry
https://vuldb.com/?submit.775173 Third Party Advisory VDB Entry
https://www.sourcecodester.com/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*

History

07 Apr 2026, 18:21

Type Values Removed Values Added
CPE cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
First Time Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
References () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-UpdateOutStanding-sid.md - () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-UpdateOutStanding-sid.md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.352798 - () https://vuldb.com/?ctiid.352798 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.352798 - () https://vuldb.com/?id.352798 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.775173 - () https://vuldb.com/?submit.775173 - Third Party Advisory, VDB Entry
References () https://www.sourcecodester.com/ - () https://www.sourcecodester.com/ - Product

25 Mar 2026, 15:41

Type Values Removed Values Added
Summary
  • (es) Se detectó una vulnerabilidad en SourceCodester Sales and Inventory System 1.0. Se ve afectada una función desconocida del archivo update_out_standing.php del componente gestor de parámetros HTTP GET. Realizar una manipulación del argumento sid resulta en inyección SQL. El ataque puede llevarse a cabo remotamente. El exploit es ahora público y puede utilizarse.

25 Mar 2026, 00:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-25 00:16

Updated : 2026-06-17 10:57


NVD link : CVE-2026-4780

Mitre link : CVE-2026-4780

CVE.ORG link : CVE-2026-4780


JSON object : View

Products Affected

ahsanriaz26gmailcom

  • sales_and_inventory_system
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')