CVE-2026-4781
Published: 25 March 2026
Summary
CVE-2026-4781 is a medium-severity Injection (CWE-74) vulnerability in Ahsanriaz26Gmailcom Sales And Inventory System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation of untrusted HTTP GET inputs like the 'sid' parameter in update_purchase.php.
Ensures timely identification, reporting, and correction of the specific SQL injection flaw in the Sales and Inventory System.
Requires vulnerability scanning that would identify the SQL injection vulnerability in update_purchase.php via tools capable of detecting CWE-89 issues.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in remotely accessible web app (update_purchase.php) directly enables initial access via exploitation of public-facing application per T1190.
NVD Description
A flaw has been found in SourceCodester Sales and Inventory System 1.0. The affected element is an unknown function of the file update_purchase.php of the component HTTP GET Parameter Handler. Executing a manipulation of the argument sid can lead to…
more
sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-4781 is a SQL injection vulnerability in SourceCodester Sales and Inventory System 1.0. The flaw affects an unknown function within the file update_purchase.php, specifically in the HTTP GET Parameter Handler component, where manipulation of the 'sid' argument enables injection. This issue falls under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or minor disruption via SQL queries crafted through the 'sid' parameter.
Advisories from VulDB (ctiid.352799, id.352799, submit.775174) document the issue and confirm remote exploitability, while a proof-of-concept is publicly available on GitHub at meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-UpdatePurchase-sid.md. No patches or specific mitigations are detailed in the provided references, and the vendor site at sourcecodester.com offers no further remediation guidance.
The exploit PoC has been published, increasing the risk of real-world abuse against exposed instances of the affected system.
Details
- CWE(s)