{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sourcecodester/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14732"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Class and Exam Timetabling System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","sourcecodester","initial-access"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability (CVE-2026-14732) has been publicly disclosed in SourceCodester Class and Exam Timetabling System version 1.0. This flaw, residing in the \u003ccode\u003e/edit_exam.php\u003c/code\u003e file, allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database by manipulating the \u003ccode\u003eID\u003c/code\u003e argument. The vulnerability was published to NVD on July 5, 2026, with a CVSS v3.1 base score of 7.3 (High). The public disclosure of exploit details means that this vulnerability can be actively leveraged by malicious actors. Organizations using this system are at immediate risk of data compromise, unauthorized access, and potential remote code execution, making prompt remediation crucial for protecting sensitive information and maintaining system integrity. This affects any instance exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing instance of SourceCodester Class and Exam Timetabling System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially formed HTTP GET or POST request targeting the \u003ccode\u003e/edit_exam.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious SQL payload within the \u003ccode\u003eID\u003c/code\u003e argument (e.g., \u003ccode\u003eid=1%27+UNION+SELECT+null,user(),null--\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes this request without properly sanitizing the \u003ccode\u003eID\u003c/code\u003e input, causing the web server to execute the attacker's embedded SQL query against its backend database.\u003c/li\u003e\n\u003cli\u003eThe database responds to the malicious query, potentially revealing sensitive data such as user credentials, database schema, or other confidential information.\u003c/li\u003e\n\u003cli\u003eThe web server includes the results of the SQL query within the HTTP response, allowing the attacker to exfiltrate the compromised data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14732 can lead to severe consequences for organizations utilizing SourceCodester Class and Exam Timetabling System 1.0. Attackers can exfiltrate sensitive student and faculty data, manipulate existing records, or gain administrative access to the application. This could result in privacy breaches, academic fraud, disruption of critical scheduling operations, and reputational damage. The public availability of exploit details increases the likelihood of widespread targeting and automated attacks against vulnerable systems, posing a significant risk to affected educational institutions or internal training departments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14732 on all affected SourceCodester Class and Exam Timetabling System 1.0 instances immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect exploitation attempts targeting \u003ccode\u003e/edit_exam.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for \u003ccode\u003eSourceCodester Class and Exam Timetabling System 1.0\u003c/code\u003e for requests to \u003ccode\u003e/edit_exam.php\u003c/code\u003e containing suspicious \u003ccode\u003eID\u003c/code\u003e parameters indicative of SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T09:18:49Z","date_published":"2026-07-05T09:18:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14732-sql-injection/","summary":"A critical SQL injection vulnerability (CVE-2026-14732) in SourceCodester Class and Exam Timetabling System 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via manipulation of the `ID` argument in `/edit_exam.php`, leading to data exfiltration and potential system compromise.","title":"CVE-2026-14732: SQL Injection in SourceCodester Class and Exam Timetabling System","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14732-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14719"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Onlne Examination \u0026 Learning Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","cve","sourcecodester","improper-privilege-management"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant vulnerability, tracked as CVE-2026-14719, has been discovered in SourceCodester Onlne Examination \u0026amp; Learning Management System version 1.0. This flaw affects the Registration Endpoint, specifically within the \u003ccode\u003eregister.php\u003c/code\u003e file, where it exhibits improper privilege management. Attackers can exploit this by manipulating the \u003ccode\u003erole\u003c/code\u003e argument during user registration. This remote vulnerability can lead to privilege escalation, allowing an unauthenticated attacker to gain elevated access within the system, potentially compromising sensitive educational data or administrative functions. The severity of this issue is heightened by the fact that a public exploit has been published and is readily available for use, making it an immediate threat to organizations utilizing this system. Defenders should prioritize patching and monitoring for exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies a publicly accessible instance of SourceCodester Onlne Examination \u0026amp; Learning Management System 1.0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker confirms the application version and identifies the vulnerable \u003ccode\u003eregister.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafted Request\u003c/strong\u003e: The attacker crafts an HTTP POST request to \u003ccode\u003e/register.php\u003c/code\u003e that includes a manipulated \u003ccode\u003erole\u003c/code\u003e argument within the registration data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation\u003c/strong\u003e: The crafted request is sent to the vulnerable endpoint, attempting to assign an elevated \u003ccode\u003erole\u003c/code\u003e (e.g., 'admin', 'instructor') to a newly created user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Assignment\u003c/strong\u003e: Due to improper privilege management inherent in CVE-2026-14719, the system processes the request and creates the new user with the attacker-specified elevated \u003ccode\u003erole\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access\u003c/strong\u003e: The attacker logs into the system using the credentials of the newly created account, now possessing administrative or other highly privileged access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains full control over system functionalities, potentially accessing sensitive student records, modifying examination content, or disrupting learning operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of CVE-2026-14719 can lead to severe consequences. Attackers can achieve unauthorized privilege escalation, granting them full administrative control over the SourceCodester Onlne Examination \u0026amp; Learning Management System. This can result in data breaches involving sensitive student or faculty information, unauthorized modification of grades or course materials, system downtime, and reputational damage for educational institutions. The public availability of an exploit significantly increases the likelihood of widespread attacks, putting all unpatched instances at immediate risk of compromise. The CVSS 3.1 Base Score of 7.3 (High) underscores the critical nature of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14719\u003c/strong\u003e: Immediately apply any available patches or vendor-provided mitigations for SourceCodester Onlne Examination \u0026amp; Learning Management System 1.0 to address CVE-2026-14719.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement WAF Rules\u003c/strong\u003e: Deploy a Web Application Firewall (WAF) to block HTTP POST requests to \u003ccode\u003e/register.php\u003c/code\u003e that contain suspicious \u003ccode\u003erole\u003c/code\u003e parameter manipulations, as indicated in the Sigma rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Web Logs\u003c/strong\u003e: Enable and review web server logs for \u003ccode\u003e/register.php\u003c/code\u003e access patterns, specifically looking for HTTP POST requests with a \u003ccode\u003erole\u003c/code\u003e argument, as described in the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit New User Registrations\u003c/strong\u003e: Regularly audit new user registrations for the SourceCodester Onlne Examination \u0026amp; Learning Management System, paying close attention to any accounts created with elevated or unusual privilege levels.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T08:20:00Z","date_published":"2026-07-05T08:20:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14719-privesc/","summary":"A critical remote vulnerability (CVE-2026-14719) has been identified in SourceCodester Onlne Examination \u0026 Learning Management System version 1.0. The flaw resides in the Registration Endpoint, specifically within the 'register.php' file, where improper privilege management allows for manipulation of the 'role' argument, leading to unauthorized privilege escalation. A public exploit for this vulnerability has been published, increasing the immediate risk of exploitation.","title":"CVE-2026-14719: SourceCodester Onlne Examination \u0026 Learning Management System Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14719-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14713"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pizzafy E-Commerce System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","sourcecodester","e-commerce"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-14713, has been identified in the SourceCodester Pizzafy E-Commerce System 1.0. This vulnerability manifests as a remote SQL injection within the \u003ccode\u003e/admin/ajax.php\u003c/code\u003e file, specifically when handling the \u003ccode\u003eID\u003c/code\u003e argument in the \u003ccode\u003eaction=confirm_order\u003c/code\u003e context. Threat actors can exploit this by crafting malicious HTTP requests that embed SQL queries into the \u003ccode\u003eID\u003c/code\u003e parameter. The flaw allows for unauthenticated remote exploitation, meaning attackers can leverage it without prior access to the system. The existence of a public exploit for this vulnerability elevates the immediate risk, making it critical for organizations using this software to patch or implement protective measures swiftly to prevent potential data breaches, unauthorized data manipulation, or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a publicly accessible instance of SourceCodester Pizzafy E-Commerce System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially designed HTTP GET request targeting the \u003ccode\u003e/admin/ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction=confirm_order\u003c/code\u003e parameter and a malicious SQL payload embedded within the \u003ccode\u003eID\u003c/code\u003e argument (e.g., \u003ccode\u003eID=1 UNION SELECT @@version, user(), database()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes this request, failing to properly sanitize the \u003ccode\u003eID\u003c/code\u003e parameter, and executes the attacker-supplied SQL query against its backend database.\u003c/li\u003e\n\u003cli\u003eThe database management system (DBMS) processes the injected query and returns the results within the legitimate HTTP response from the web server.\u003c/li\u003e\n\u003cli\u003eAttacker parses the web server's response to extract sensitive information, such as database schema, user credentials, system configuration, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to refine payloads to further exfiltrate, modify, or potentially corrupt data within the database, ultimately achieving data compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14713 can lead to severe consequences for organizations utilizing SourceCodester Pizzafy E-Commerce System 1.0. As a remote SQL injection vulnerability, attackers can gain unauthorized access to the underlying database. This typically results in full data compromise, including exfiltration of sensitive customer data (names, addresses, payment information), administrative credentials, and other proprietary business data. Attackers could also tamper with order details, pricing, inventory, or user accounts, causing financial losses, reputational damage, and operational disruption. While the source does not specify victim count or targeted sectors, any organization deploying this specific version of the e-commerce system is at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch SourceCodester Pizzafy E-Commerce System 1.0 to a non-vulnerable version if available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-14713 Exploitation — Pizzafy SQL Injection\u0026quot; to your SIEM/WAF and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging (category \u003ccode\u003ewebserver\u003c/code\u003e) to capture \u003ccode\u003ecs-uri-stem\u003c/code\u003e, \u003ccode\u003ecs-uri-query\u003c/code\u003e, and \u003ccode\u003ecs-method\u003c/code\u003e for detailed forensic analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T06:26:12Z","date_published":"2026-07-05T06:26:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pizzafy-sql-injection/","summary":"A critical SQL injection vulnerability (CVE-2026-14713) exists in SourceCodester Pizzafy E-Commerce System version 1.0, allowing unauthenticated remote attackers to execute arbitrary SQL commands by manipulating the 'ID' argument in the `/admin/ajax.php?action=confirm_order` endpoint, potentially leading to data exfiltration or modification, with a public exploit available.","title":"CVE-2026-14713 — SQL Injection in SourceCodester Pizzafy E-Commerce System","url":"https://feed.craftedsignal.io/briefs/2026-07-pizzafy-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14695"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Multi-Vendor Online Grocery Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","sourcecodester","data-theft"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-14695, has been discovered in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This flaw specifically affects the \u003ccode\u003esave_client\u003c/code\u003e function located within the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file, which is part of the Registration Handler component. Attackers can remotely exploit this weakness by manipulating the 'Name' argument, leading to a classic SQL injection scenario. The presence of a publicly available exploit significantly escalates the risk, making affected systems immediate targets for data compromise or further malicious activity. This vulnerability has a CVSS v3.1 base score of 7.3, categorizing it as high severity due to its network-exploitability and potential for data impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target running \u003ccode\u003eSourceCodester Multi-Vendor Online Grocery Management System 1.0\u003c/code\u003e through reconnaissance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request, targeting the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file and specifically the \u003ccode\u003esave_client\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an SQL injection payload embedded within the 'Name' argument, designed to bypass input validation.\u003c/li\u003e\n\u003cli\u003eUpon receipt, the vulnerable \u003ccode\u003esave_client\u003c/code\u003e function processes the unsanitized 'Name' argument, directly incorporating the malicious string into a database query.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is then executed by the backend database, granting the attacker unauthorized access to, or manipulation of, the database contents.\u003c/li\u003e\n\u003cli\u003eAttacker proceeds to exfiltrate sensitive data, such as user credentials, customer information, or product details, or alters existing data for fraudulent purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14695 can lead to severe consequences for organizations utilizing SourceCodester Multi-Vendor Online Grocery Management System 1.0. Attackers can gain unauthorized access to critical backend databases, potentially compromising sensitive customer data including names, addresses, purchase history, and even authentication credentials. This breach can result in significant financial losses, reputational damage, regulatory penalties (e.g., GDPR, CCPA violations), and disruption of business operations. The public availability of an exploit increases the likelihood of widespread targeting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14695 immediately:\u003c/strong\u003e Apply any available patches or vendor-provided updates for SourceCodester Multi-Vendor Online Grocery Management System 1.0 to address the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Web Application Firewall (WAF) rules:\u003c/strong\u003e Configure WAFs to detect and block SQL injection attempts, specifically looking for common SQLi patterns in POST requests targeting \u003ccode\u003eclasses/Users.php\u003c/code\u003e and the 'Name' argument.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConduct code review and input validation:\u003c/strong\u003e Perform a thorough security audit of the \u003ccode\u003esave_client\u003c/code\u003e function in \u003ccode\u003eclasses/Users.php\u003c/code\u003e and all other input handling components to ensure proper sanitization and parameterized queries are used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T03:17:53Z","date_published":"2026-07-05T03:17:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/","summary":"A high-severity SQL injection vulnerability, CVE-2026-14695, exists in SourceCodester Multi-Vendor Online Grocery Management System 1.0, allowing remote attackers to manipulate the 'Name' argument within the `save_client` function of `classes/Users.php` to execute arbitrary SQL commands, with a public exploit available.","title":"CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery Management System SQL Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14695-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14690"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Multi-Vendor Online Grocery Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web-application","improper-authorization","cve","sourcecodester"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-14690, has been identified in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This vulnerability specifically resides within the \u003ccode\u003esave_users\u003c/code\u003e function located in the \u003ccode\u003eclasses/Users.php\u003c/code\u003e file. The weakness stems from improper authorization controls, allowing an attacker to bypass security checks and manipulate user accounts. Remote exploitation is possible, meaning attackers do not need prior access to the system or user credentials. A public exploit has been made available, increasing the urgency for immediate remediation. For defenders, this vulnerability represents a critical risk of unauthorized access, privilege escalation, and potential compromise of the online grocery management system, including sensitive customer and transactional data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies the vulnerable SourceCodester Multi-Vendor Online Grocery Management System 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/classes/Users.php\u003c/code\u003e endpoint to invoke the \u003ccode\u003esave_users\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the improper authorization flaw, the application fails to adequately verify the attacker's privileges or authentication status for the \u003ccode\u003esave_users\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this bypass to create a new administrative user account or modify the roles/privileges of an existing low-privileged user.\u003c/li\u003e\n\u003cli\u003eWith the newly acquired or elevated administrative credentials, the attacker logs into the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative control over the Multi-Vendor Online Grocery Management System, potentially leading to data exfiltration, system defacement, or further compromise of the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14690 would grant unauthorized administrative access to the Multi-Vendor Online Grocery Management System. This direct compromise could lead to severe consequences, including the theft of sensitive customer information (e.g., personal data, order history), financial transaction manipulation, alteration of product inventories, or complete disruption of the online grocery platform. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk of significant reputational damage, financial loss, and regulatory penalties due to data breaches and service interruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply any available patches or security updates from SourceCodester for the Multi-Vendor Online Grocery Management System 1.0 to address CVE-2026-14690.\u003c/li\u003e\n\u003cli\u003eReview access logs for \u003ccode\u003e/classes/Users.php\u003c/code\u003e for any unauthorized or suspicious POST requests that occurred prior to applying the patch for CVE-2026-14690.\u003c/li\u003e\n\u003cli\u003ePerform an audit of user accounts, especially administrative accounts, for any newly created or modified users since the system's deployment or the disclosure of CVE-2026-14690, investigating any anomalous entries.\u003c/li\u003e\n\u003cli\u003eRefer to the provided references (\u003ca href=\"https://vuldb.com/cve/CVE-2026-14690\"\u003ehttps://vuldb.com/cve/CVE-2026-14690\u003c/a\u003e, \u003ca href=\"https://github.com/lee945/cve/issues/1\"\u003ehttps://github.com/lee945/cve/issues/1\u003c/a\u003e) for further details on the vulnerability and potential mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T02:19:33Z","date_published":"2026-07-05T02:19:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/","summary":"A high-severity improper authorization vulnerability (CVE-2026-14690) in the `save_users` function of SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to manipulate user accounts, potentially leading to privilege escalation or unauthorized access, with a public exploit readily available.","title":"CVE-2026-14690: Improper Authorization in SourceCodester Multi-Vendor Online Grocery Management System","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14690-sourcecodester/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14654"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple and Nice Shopping Cart Script 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","sourcecodester","shopping-cart"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability, identified as CVE-2026-14654, has been discovered in version 1.0 of the SourceCodester Simple and Nice Shopping Cart Script. This flaw specifically affects an unknown function within the \u003ccode\u003e/admin/girlsproductdeletequery.php\u003c/code\u003e file, where improper neutralization of special elements in the \u003ccode\u003euser_id\u003c/code\u003e argument leads to SQL injection. The vulnerability allows a remote and unauthenticated attacker to inject malicious SQL commands into database queries. The exploit for this vulnerability is publicly available, increasing the likelihood of its use in the wild. This poses a significant risk to organizations utilizing the affected software, enabling potential unauthorized access, data manipulation, or even remote code execution if the underlying database user has elevated privileges. The vulnerability was published on July 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an internet-facing instance of SourceCodester Simple and Nice Shopping Cart Script 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request to the \u003ccode\u003e/admin/girlsproductdeletequery.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes specially constructed SQL injection payloads within the \u003ccode\u003euser_id\u003c/code\u003e parameter, such as \u003ccode\u003e' OR 1=1--\u003c/code\u003e or \u003ccode\u003eUNION SELECT ...\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the \u003ccode\u003euser_id\u003c/code\u003e argument without adequate sanitization, causing the injected SQL commands to be executed by the backend database.\u003c/li\u003e\n\u003cli\u003eSuccessful injection allows the attacker to bypass authentication, query sensitive database information (e.g., user credentials, product details), modify existing data, or delete records.\u003c/li\u003e\n\u003cli\u003eDepending on the database system and the privileges of the database user account, the attacker may escalate the SQL injection to achieve remote code execution (RCE) on the underlying web server.\u003c/li\u003e\n\u003cli\u003eIf RCE is successful, the attacker can establish persistent access mechanisms, such as deploying web shells or other backdoors.\u003c/li\u003e\n\u003cli\u003eThe final objective often includes data exfiltration, website defacement, or broader compromise of the hosting infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14654 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's database, allowing for the theft of sensitive customer and product information, modification of order details, or deletion of critical data. While specific victim counts or targeted sectors are not available, any organization using SourceCodester Simple and Nice Shopping Cart Script 1.0 is at risk. The publicly available exploit further exacerbates the threat, making it easier for malicious actors to compromise systems and disrupt business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch SourceCodester Simple and Nice Shopping Cart Script 1.0 if an official update is available, or remove the affected component from internet exposure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-14654 Exploitation - SQL Injection in Shopping Cart Script\u0026quot; to your SIEM for early detection of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests targeting \u003ccode\u003e/admin/girlsproductdeletequery.php\u003c/code\u003e that contain unusual or suspicious characters and SQL keywords as described in the detection rule.\u003c/li\u003e\n\u003cli\u003eReview the references provided, particularly \u003ca href=\"https://github.com/Yuesswor/cve/issues/4\"\u003ehttps://github.com/Yuesswor/cve/issues/4\u003c/a\u003e and \u003ca href=\"https://vuldb.com/vuln/376167\"\u003ehttps://vuldb.com/vuln/376167\u003c/a\u003e, for potential workarounds or additional mitigation details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T21:20:52Z","date_published":"2026-07-04T21:20:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14654-sqli/","summary":"A remote, unauthenticated SQL injection vulnerability (CVE-2026-14654) in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows attackers to manipulate the `user_id` argument via `/admin/girlsproductdeletequery.php`, leading to database compromise, data exfiltration, or unauthorized access, with an exploit publicly available.","title":"CVE-2026-14654: Remote SQL Injection in SourceCodester Simple and Nice Shopping Cart Script","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14654-sqli/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14641"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Class and Exam Timetabling System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","sourcecodester","php"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA high-severity SQL injection vulnerability, tracked as CVE-2026-14641, has been identified in SourceCodester Class and Exam Timetabling System version 1.0. This flaw allows unauthenticated, remote attackers to execute arbitrary SQL commands by manipulating the 'ID' argument within the \u003ccode\u003e/edit_course.php\u003c/code\u003e file. The vulnerability stems from improper neutralization of special elements in SQL commands, specifically CWE-89. The exploit has been publicly disclosed and is actively available, increasing the risk of widespread exploitation. This vulnerability enables attackers to potentially read, modify, or delete data from the backend database, compromising data confidentiality and integrity. Defenders should prioritize patching and implementing robust input validation to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/edit_course.php\u003c/code\u003e endpoint of the vulnerable SourceCodester Class and Exam Timetabling System.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially malformed \u003ccode\u003eID\u003c/code\u003e parameter in the URL query string, containing SQL injection payloads (e.g., \u003ccode\u003eID=1%27%20UNION%20SELECT%20...\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003e/edit_course.php\u003c/code\u003e script processes the \u003ccode\u003eID\u003c/code\u003e parameter without proper input sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe application directly embeds the malicious \u003ccode\u003eID\u003c/code\u003e parameter's value into a backend SQL query.\u003c/li\u003e\n\u003cli\u003eThe database server executes the manipulated SQL query, which may bypass intended logic and allow the attacker to retrieve sensitive information or modify data.\u003c/li\u003e\n\u003cli\u003eThe web server responds to the attacker's request, potentially disclosing sensitive database content (e.g., user credentials, system configurations, application data) within the HTTP response body.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract the compromised data, achieve data exfiltration, or modify database records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14641 can lead to significant data breaches, where attackers can read, modify, or delete sensitive information stored in the application's database. This includes user accounts, academic records, scheduling data, and potentially administrative credentials. While specific victim counts are not available, the widespread use of SourceCodester systems in educational settings suggests that successful attacks could impact student and staff privacy, disrupt academic operations, and lead to reputational damage for affected institutions. The CVSS 3.1 score of 7.3 (High) indicates low impact on confidentiality, integrity, and availability, but SQL injection commonly leads to more severe consequences like full database compromise or even arbitrary code execution under certain configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching SourceCodester Class and Exam Timetabling System to a non-vulnerable version immediately to address CVE-2026-14641.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against the \u003ccode\u003e/edit_course.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnsure webserver logging (category: \u003ccode\u003ewebserver\u003c/code\u003e) is enabled and configured to capture full HTTP request details, especially \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e, to enable the rule.\u003c/li\u003e\n\u003cli\u003eImplement web application firewalls (WAFs) with rules designed to detect and block SQL injection payloads targeting HTTP GET parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T19:23:20Z","date_published":"2026-07-04T19:23:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sql-injection-sourcecodester/","summary":"A critical vulnerability, CVE-2026-14641, in SourceCodester Class and Exam Timetabling System version 1.0 allows for remote SQL injection via the 'ID' argument in the '/edit_course.php' file, enabling unauthenticated attackers to manipulate database queries with a publicly disclosed exploit.","title":"SQL Injection in SourceCodester Class and Exam Timetabling System (CVE-2026-14641)","url":"https://feed.craftedsignal.io/briefs/2026-07-sql-injection-sourcecodester/"}],"language":"en","title":"CraftedSignal Threat Feed - Sourcecodester","version":"https://jsonfeed.org/version/1.1"}