Cyber Resilience

CVE-2026-3792

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3792 is a medium-severity Injection (CWE-74) vulnerability in Ahsanriaz26Gmailcom Sales And Inventory System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3792 is a SQL injection vulnerability in SourceCodester Sales and Inventory System 1.0, affecting an unknown part of the file purchase_invoice.php within the GET Parameter Handler component. The issue arises from manipulation of the 'purchaseid' argument, allowing remote attackers to inject malicious SQL payloads. Published on 2026-03-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries. A proof-of-concept exploit has been publicly disclosed and could be adapted for use.

VulDB advisories (vuldb.com/?ctiid.349759, vuldb.com/?id.349759, vuldb.com/?submit.768047) provide detailed vulnerability information and submission details, while a GitHub repository (github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-PurchaseInvoice-purchaseid.md) hosts the PoC exploit. The vendor site (sourcecodester.com) is referenced, though specific patch or mitigation guidance is not detailed in available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file purchase_invoice.php of the component GET Parameter Handler. The manipulation of the argument purchaseid results in sql injection. The attack may be…

more

performed from remote. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application (purchase_invoice.php GET handler) directly enables initial access via exploitation of a public-facing app per T1190; limited C/I/A impact and lack of OS command execution or other primitives preclude additional techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3790Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-4780Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-3756Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-3791Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-4781Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-3754Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-3793Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-4826Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-4570Same product: Ahsanriaz26Gmailcom Sales And Inventory System
CVE-2026-3753Same product: Ahsanriaz26Gmailcom Sales And Inventory System

Affected Assets

ahsanriaz26gmailcom
sales and inventory system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the purchaseid GET parameter to block malicious SQL payloads before they reach the database.

prevent

Enforces access-control policy on purchase_invoice.php so that only authorized queries are permitted, limiting the ability of injected statements to succeed.

detect

Monitors integrity of application code and data flows, providing secondary detection of unauthorized SQL modifications resulting from the injection.

References