Skip to content
Threat Feed
high advisory

CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery Management System SQL Injection

A high-severity SQL injection vulnerability, CVE-2026-14695, exists in SourceCodester Multi-Vendor Online Grocery Management System 1.0, allowing remote attackers to manipulate the 'Name' argument within the `save_client` function of `classes/Users.php` to execute arbitrary SQL commands, with a public exploit available.

A significant vulnerability, identified as CVE-2026-14695, has been discovered in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This flaw specifically affects the save_client function located within the classes/Users.php file, which is part of the Registration Handler component. Attackers can remotely exploit this weakness by manipulating the 'Name' argument, leading to a classic SQL injection scenario. The presence of a publicly available exploit significantly escalates the risk, making affected systems immediate targets for data compromise or further malicious activity. This vulnerability has a CVSS v3.1 base score of 7.3, categorizing it as high severity due to its network-exploitability and potential for data impact.

Attack Chain

  1. Attacker identifies a target running SourceCodester Multi-Vendor Online Grocery Management System 1.0 through reconnaissance.
  2. Attacker crafts a malicious HTTP POST request, targeting the classes/Users.php file and specifically the save_client function.
  3. The crafted request includes an SQL injection payload embedded within the 'Name' argument, designed to bypass input validation.
  4. Upon receipt, the vulnerable save_client function processes the unsanitized 'Name' argument, directly incorporating the malicious string into a database query.
  5. The malicious SQL query is then executed by the backend database, granting the attacker unauthorized access to, or manipulation of, the database contents.
  6. Attacker proceeds to exfiltrate sensitive data, such as user credentials, customer information, or product details, or alters existing data for fraudulent purposes.

Impact

The successful exploitation of CVE-2026-14695 can lead to severe consequences for organizations utilizing SourceCodester Multi-Vendor Online Grocery Management System 1.0. Attackers can gain unauthorized access to critical backend databases, potentially compromising sensitive customer data including names, addresses, purchase history, and even authentication credentials. This breach can result in significant financial losses, reputational damage, regulatory penalties (e.g., GDPR, CCPA violations), and disruption of business operations. The public availability of an exploit increases the likelihood of widespread targeting.

Recommendation

  • Patch CVE-2026-14695 immediately: Apply any available patches or vendor-provided updates for SourceCodester Multi-Vendor Online Grocery Management System 1.0 to address the SQL injection vulnerability.
  • Implement Web Application Firewall (WAF) rules: Configure WAFs to detect and block SQL injection attempts, specifically looking for common SQLi patterns in POST requests targeting classes/Users.php and the 'Name' argument.
  • Conduct code review and input validation: Perform a thorough security audit of the save_client function in classes/Users.php and all other input handling components to ensure proper sanitization and parameterized queries are used.