Cyber Resilience

CVE-2024-40498

Critical

Published: 05 August 2024

Published
05 August 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1178 93.9th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40498 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-40498 is a SQL injection vulnerability in PuneethReddyHC Online Shopping system advanced version 1.0 that resides in the register.php component. The flaw, tracked under CWE-89, permits an unauthenticated remote attacker to supply crafted input that is executed as SQL statements, resulting in arbitrary code execution on the underlying database server.

An attacker with network access and no credentials or user interaction can exploit the issue to read, modify, or delete data and potentially gain further control over the application host. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting its critical severity due to the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

The single public reference is a GitHub repository that appears to contain proof-of-concept material; no vendor advisory, patch, or official mitigation guidance is referenced in the available data. The associated EPSS score has remained flat at 0.1178 with no material increase since disclosure.

EU & UK References

Vulnerability details

SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References