CVE-2026-4613
Published: 24 March 2026
Summary
CVE-2026-4613 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4613 is a SQL injection vulnerability in SourceCodester E-Commerce Site 1.0, affecting unknown code in the /products.php file. The issue arises from manipulation of the 'Search' argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories are documented on VulDB (ctiid.352477, id.352477, submit.775689), with a public exploit available on GitHub at WHOAMI-xiaoyu/CVE/blob/main/CVE_4.md. The vendor site at sourcecodester.com is referenced, though no specific patches or mitigations are detailed in the disclosure.
The exploit has been made public and could be used, heightening the risk of real-world attacks against unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14658
Vulnerability details
A vulnerability was found in SourceCodester E-Commerce Site 1.0. This vulnerability affects unknown code of the file /products.php. The manipulation of the argument Search results in sql injection. The attack can be executed remotely. The exploit has been made public…
more
and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app (/products.php) directly enables remote exploitation of the application (T1190) with no user interaction required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing the 'Search' argument manipulated in /products.php.
Remediates the specific SQL injection flaw in SourceCodester E-Commerce Site 1.0 through timely patching and testing.
Vulnerability scanning identifies and prioritizes SQL injection vulnerabilities like CVE-2026-4613 for remediation.