CVE-2026-3755
Published: 08 March 2026
Summary
CVE-2026-3755 is a medium-severity Injection (CWE-74) vulnerability in Ahsanriaz26Gmailcom Sales And Inventory System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3755 is a SQL injection vulnerability in SourceCodester Sales and Inventory System 1.0, published on 2026-03-08. It affects an unknown function within the file /check_customer_details.php of the POST Handler component, where manipulation of the stock_name1 argument enables SQL injection. The issue is classified under CWE-74 and CWE-89.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating network accessibility with low attack complexity and low privileges required. An attacker can exploit it remotely to achieve limited impacts on confidentiality, integrity, and availability.
A proof-of-concept exploit is publicly disclosed on GitHub at https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-CheckCustomerDetails-stockname1.md. VulDB advisories provide further details at https://vuldb.com/?ctiid.349733, https://vuldb.com/?id.349733, and https://vuldb.com/?submit.768039, while the affected software originates from https://www.sourcecodester.com/. No patches or specific mitigations are detailed in the available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10258
Vulnerability details
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /check_customer_details.php of the component POST Handler. Executing a manipulation of the argument stock_name1 can lead to sql injection. The attack can…
more
be launched remotely. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in publicly accessible web app POST handler directly enables T1190 exploitation for initial access and T1213.006 for database data collection/manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as the stock_name1 POST parameter before it reaches SQL statements.
Mandates timely remediation of the publicly disclosed SQL injection flaw in check_customer_details.php.
Enables monitoring and alerting on anomalous SQL statements or error patterns that would result from exploitation of the stock_name1 parameter.