<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Multi-Vendor Online Grocery Management System 1.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/multi-vendor-online-grocery-management-system-1.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 03:17:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/multi-vendor-online-grocery-management-system-1.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery Management System SQL Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/</link><pubDate>Sun, 05 Jul 2026 03:17:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/</guid><description>A high-severity SQL injection vulnerability, CVE-2026-14695, exists in SourceCodester Multi-Vendor Online Grocery Management System 1.0, allowing remote attackers to manipulate the 'Name' argument within the `save_client` function of `classes/Users.php` to execute arbitrary SQL commands, with a public exploit available.</description><content:encoded><![CDATA[<p>A significant vulnerability, identified as CVE-2026-14695, has been discovered in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This flaw specifically affects the <code>save_client</code> function located within the <code>classes/Users.php</code> file, which is part of the Registration Handler component. Attackers can remotely exploit this weakness by manipulating the 'Name' argument, leading to a classic SQL injection scenario. The presence of a publicly available exploit significantly escalates the risk, making affected systems immediate targets for data compromise or further malicious activity. This vulnerability has a CVSS v3.1 base score of 7.3, categorizing it as high severity due to its network-exploitability and potential for data impact.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a target running <code>SourceCodester Multi-Vendor Online Grocery Management System 1.0</code> through reconnaissance.</li>
<li>Attacker crafts a malicious HTTP POST request, targeting the <code>classes/Users.php</code> file and specifically the <code>save_client</code> function.</li>
<li>The crafted request includes an SQL injection payload embedded within the 'Name' argument, designed to bypass input validation.</li>
<li>Upon receipt, the vulnerable <code>save_client</code> function processes the unsanitized 'Name' argument, directly incorporating the malicious string into a database query.</li>
<li>The malicious SQL query is then executed by the backend database, granting the attacker unauthorized access to, or manipulation of, the database contents.</li>
<li>Attacker proceeds to exfiltrate sensitive data, such as user credentials, customer information, or product details, or alters existing data for fraudulent purposes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-14695 can lead to severe consequences for organizations utilizing SourceCodester Multi-Vendor Online Grocery Management System 1.0. Attackers can gain unauthorized access to critical backend databases, potentially compromising sensitive customer data including names, addresses, purchase history, and even authentication credentials. This breach can result in significant financial losses, reputational damage, regulatory penalties (e.g., GDPR, CCPA violations), and disruption of business operations. The public availability of an exploit increases the likelihood of widespread targeting.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-14695 immediately:</strong> Apply any available patches or vendor-provided updates for SourceCodester Multi-Vendor Online Grocery Management System 1.0 to address the SQL injection vulnerability.</li>
<li><strong>Implement Web Application Firewall (WAF) rules:</strong> Configure WAFs to detect and block SQL injection attempts, specifically looking for common SQLi patterns in POST requests targeting <code>classes/Users.php</code> and the 'Name' argument.</li>
<li><strong>Conduct code review and input validation:</strong> Perform a thorough security audit of the <code>save_client</code> function in <code>classes/Users.php</code> and all other input handling components to ensure proper sanitization and parameterized queries are used.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-vulnerability</category><category>cve</category><category>sourcecodester</category><category>data-theft</category></item><item><title>CVE-2026-14690: Improper Authorization in SourceCodester Multi-Vendor Online Grocery Management System</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/</link><pubDate>Sun, 05 Jul 2026 02:19:33 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/</guid><description>A high-severity improper authorization vulnerability (CVE-2026-14690) in the `save_users` function of SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to manipulate user accounts, potentially leading to privilege escalation or unauthorized access, with a public exploit readily available.</description><content:encoded><![CDATA[<p>A significant security flaw, tracked as CVE-2026-14690, has been identified in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This vulnerability specifically resides within the <code>save_users</code> function located in the <code>classes/Users.php</code> file. The weakness stems from improper authorization controls, allowing an attacker to bypass security checks and manipulate user accounts. Remote exploitation is possible, meaning attackers do not need prior access to the system or user credentials. A public exploit has been made available, increasing the urgency for immediate remediation. For defenders, this vulnerability represents a critical risk of unauthorized access, privilege escalation, and potential compromise of the online grocery management system, including sensitive customer and transactional data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker identifies the vulnerable SourceCodester Multi-Vendor Online Grocery Management System 1.0 instance.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>/classes/Users.php</code> endpoint to invoke the <code>save_users</code> function.</li>
<li>Due to the improper authorization flaw, the application fails to adequately verify the attacker's privileges or authentication status for the <code>save_users</code> operation.</li>
<li>The attacker leverages this bypass to create a new administrative user account or modify the roles/privileges of an existing low-privileged user.</li>
<li>With the newly acquired or elevated administrative credentials, the attacker logs into the system.</li>
<li>The attacker gains full administrative control over the Multi-Vendor Online Grocery Management System, potentially leading to data exfiltration, system defacement, or further compromise of the underlying server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14690 would grant unauthorized administrative access to the Multi-Vendor Online Grocery Management System. This direct compromise could lead to severe consequences, including the theft of sensitive customer information (e.g., personal data, order history), financial transaction manipulation, alteration of product inventories, or complete disruption of the online grocery platform. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk of significant reputational damage, financial loss, and regulatory penalties due to data breaches and service interruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply any available patches or security updates from SourceCodester for the Multi-Vendor Online Grocery Management System 1.0 to address CVE-2026-14690.</li>
<li>Review access logs for <code>/classes/Users.php</code> for any unauthorized or suspicious POST requests that occurred prior to applying the patch for CVE-2026-14690.</li>
<li>Perform an audit of user accounts, especially administrative accounts, for any newly created or modified users since the system's deployment or the disclosure of CVE-2026-14690, investigating any anomalous entries.</li>
<li>Refer to the provided references (<a href="https://vuldb.com/cve/CVE-2026-14690">https://vuldb.com/cve/CVE-2026-14690</a>, <a href="https://github.com/lee945/cve/issues/1">https://github.com/lee945/cve/issues/1</a>) for further details on the vulnerability and potential mitigation strategies.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>improper-authorization</category><category>cve</category><category>sourcecodester</category></item></channel></rss>