{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/multi-vendor-online-grocery-management-system-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14695"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Multi-Vendor Online Grocery Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","sourcecodester","data-theft"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-14695, has been discovered in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This flaw specifically affects the \u003ccode\u003esave_client\u003c/code\u003e function located within the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file, which is part of the Registration Handler component. Attackers can remotely exploit this weakness by manipulating the 'Name' argument, leading to a classic SQL injection scenario. The presence of a publicly available exploit significantly escalates the risk, making affected systems immediate targets for data compromise or further malicious activity. This vulnerability has a CVSS v3.1 base score of 7.3, categorizing it as high severity due to its network-exploitability and potential for data impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target running \u003ccode\u003eSourceCodester Multi-Vendor Online Grocery Management System 1.0\u003c/code\u003e through reconnaissance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request, targeting the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file and specifically the \u003ccode\u003esave_client\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an SQL injection payload embedded within the 'Name' argument, designed to bypass input validation.\u003c/li\u003e\n\u003cli\u003eUpon receipt, the vulnerable \u003ccode\u003esave_client\u003c/code\u003e function processes the unsanitized 'Name' argument, directly incorporating the malicious string into a database query.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is then executed by the backend database, granting the attacker unauthorized access to, or manipulation of, the database contents.\u003c/li\u003e\n\u003cli\u003eAttacker proceeds to exfiltrate sensitive data, such as user credentials, customer information, or product details, or alters existing data for fraudulent purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14695 can lead to severe consequences for organizations utilizing SourceCodester Multi-Vendor Online Grocery Management System 1.0. Attackers can gain unauthorized access to critical backend databases, potentially compromising sensitive customer data including names, addresses, purchase history, and even authentication credentials. This breach can result in significant financial losses, reputational damage, regulatory penalties (e.g., GDPR, CCPA violations), and disruption of business operations. The public availability of an exploit increases the likelihood of widespread targeting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14695 immediately:\u003c/strong\u003e Apply any available patches or vendor-provided updates for SourceCodester Multi-Vendor Online Grocery Management System 1.0 to address the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Web Application Firewall (WAF) rules:\u003c/strong\u003e Configure WAFs to detect and block SQL injection attempts, specifically looking for common SQLi patterns in POST requests targeting \u003ccode\u003eclasses/Users.php\u003c/code\u003e and the 'Name' argument.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConduct code review and input validation:\u003c/strong\u003e Perform a thorough security audit of the \u003ccode\u003esave_client\u003c/code\u003e function in \u003ccode\u003eclasses/Users.php\u003c/code\u003e and all other input handling components to ensure proper sanitization and parameterized queries are used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T03:17:53Z","date_published":"2026-07-05T03:17:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/","summary":"A high-severity SQL injection vulnerability, CVE-2026-14695, exists in SourceCodester Multi-Vendor Online Grocery Management System 1.0, allowing remote attackers to manipulate the 'Name' argument within the `save_client` function of `classes/Users.php` to execute arbitrary SQL commands, with a public exploit available.","title":"CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery Management System SQL Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14690"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Multi-Vendor Online Grocery Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web-application","improper-authorization","cve","sourcecodester"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-14690, has been identified in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This vulnerability specifically resides within the \u003ccode\u003esave_users\u003c/code\u003e function located in the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file. The weakness stems from improper authorization controls, allowing an attacker to bypass security checks and manipulate user accounts. Remote exploitation is possible, meaning attackers do not need prior access to the system or user credentials. A public exploit has been made available, increasing the urgency for immediate remediation. For defenders, this vulnerability represents a critical risk of unauthorized access, privilege escalation, and potential compromise of the online grocery management system, including sensitive customer and transactional data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies the vulnerable SourceCodester Multi-Vendor Online Grocery Management System 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/classes/Users.php\u003c/code\u003e endpoint to invoke the \u003ccode\u003esave_users\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the improper authorization flaw, the application fails to adequately verify the attacker's privileges or authentication status for the \u003ccode\u003esave_users\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this bypass to create a new administrative user account or modify the roles/privileges of an existing low-privileged user.\u003c/li\u003e\n\u003cli\u003eWith the newly acquired or elevated administrative credentials, the attacker logs into the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative control over the Multi-Vendor Online Grocery Management System, potentially leading to data exfiltration, system defacement, or further compromise of the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14690 would grant unauthorized administrative access to the Multi-Vendor Online Grocery Management System. This direct compromise could lead to severe consequences, including the theft of sensitive customer information (e.g., personal data, order history), financial transaction manipulation, alteration of product inventories, or complete disruption of the online grocery platform. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk of significant reputational damage, financial loss, and regulatory penalties due to data breaches and service interruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply any available patches or security updates from SourceCodester for the Multi-Vendor Online Grocery Management System 1.0 to address CVE-2026-14690.\u003c/li\u003e\n\u003cli\u003eReview access logs for \u003ccode\u003e/classes/Users.php\u003c/code\u003e for any unauthorized or suspicious POST requests that occurred prior to applying the patch for CVE-2026-14690.\u003c/li\u003e\n\u003cli\u003ePerform an audit of user accounts, especially administrative accounts, for any newly created or modified users since the system's deployment or the disclosure of CVE-2026-14690, investigating any anomalous entries.\u003c/li\u003e\n\u003cli\u003eRefer to the provided references (\u003ca href=\"https://vuldb.com/cve/CVE-2026-14690\"\u003ehttps://vuldb.com/cve/CVE-2026-14690\u003c/a\u003e, \u003ca href=\"https://github.com/lee945/cve/issues/1\"\u003ehttps://github.com/lee945/cve/issues/1\u003c/a\u003e) for further details on the vulnerability and potential mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T02:19:33Z","date_published":"2026-07-05T02:19:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/","summary":"A high-severity improper authorization vulnerability (CVE-2026-14690) in the `save_users` function of SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to manipulate user accounts, potentially leading to privilege escalation or unauthorized access, with a public exploit readily available.","title":"CVE-2026-14690: Improper Authorization in SourceCodester Multi-Vendor Online Grocery Management System","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/"}],"language":"en","title":"CraftedSignal Threat Feed - Multi-Vendor Online Grocery Management System 1.0","version":"https://jsonfeed.org/version/1.1"}