Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login
CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login
SECURITYHIGHCVE-2026-14652

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

Dylan H.

Security Team

July 5, 2026
3 min read

Affected Products

  • SourceCodester Simple and Nice Shopping Cart Script 1.0

Executive Summary

A high-severity SQL injection vulnerability (CVE-2026-14652) has been identified in SourceCodester Simple and Nice Shopping Cart Script version 1.0. The flaw resides in the admin authentication endpoint (/admin/login.php) where the Username parameter is passed directly to a database query without sanitization, enabling remote exploitation.

CVSS Score: 7.3 (High)

The vulnerability has been publicly disclosed and exploit code is available, meaning unpatched deployments face immediate risk.

Technical Details

Vulnerability Type

Classic SQL Injection (SQLi) via unsanitized user-controlled input in an authentication query. The Username field in /admin/login.php is concatenated directly into a SQL statement without parameterization or escaping.

Attack Vector

FieldValue
CVE IDCVE-2026-14652
CVSS v3.17.3 (High)
Attack VectorNetwork
Attack ComplexityLow
Authentication RequiredNone
Privileges RequiredNone
ScopeUnchanged

Affected Endpoint

POST /admin/login.php
Parameter: Username

An attacker can inject a payload such as ' OR '1'='1 into the Username field to bypass authentication or extract data from the underlying database.

Proof of Concept

The following example payload demonstrates authentication bypass:

Username: admin' OR '1'='1' -- -
Password: (anything)

This causes the backend query to evaluate as always-true, granting unauthenticated administrative access.

Impact

A successful exploit allows an attacker to:

  • Bypass admin authentication without valid credentials
  • Enumerate and extract the entire database, including user accounts and order data
  • Potentially escalate to Remote Code Execution via SQL file write operations (environment-dependent)
  • Access all administrative functionality of the shopping cart application

Affected Versions

ProductVersionStatus
SourceCodester Simple and Nice Shopping Cart Script1.0Vulnerable

No patch is currently available from the vendor. SourceCodester scripts are commonly deployed on shared hosting and small business environments.

Remediation

Until an official patch is released, administrators should:

  1. Remove or restrict access to the admin panel via network-level controls (firewall rules, .htaccess IP allowlist)
  2. Implement a Web Application Firewall (WAF) with SQLi detection rules
  3. Replace vulnerable queries with prepared statements / parameterized queries:
// Vulnerable (DO NOT USE)
$query = "SELECT * FROM admin WHERE username='" . $_POST['Username'] . "'";
 
// Secure replacement
$stmt = $pdo->prepare("SELECT * FROM admin WHERE username = ?");
$stmt->execute([$_POST['Username']]);
  1. Audit all input fields in the application for similar unsanitized concatenation patterns
  2. Monitor access logs for SQL injection patterns (', OR 1=1, --, UNION SELECT)

Detection

Look for the following indicators in your web server access logs:

POST /admin/login.php
User-Agent patterns: sqlmap, havij, or scripted requests
Parameters containing: ', OR, UNION, SELECT, --, #

Security teams can deploy Snort/Suricata rules targeting SQLi payloads against /admin/login.php.

References

  • NVD Entry — CVE-2026-14652
  • OWASP SQL Injection Prevention Cheat Sheet
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command
#SQL Injection#CVE-2026-14652#SourceCodester#PHP#Web Security#Authentication Bypass

Related Articles

CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote exploitation via an unsanitized user_id parameter.

3 min read

CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls product delete query via an unsanitized user_id parameter.

3 min read

CVE-2026-14688: SQL Injection in itsourcecode Hotel Management Admin Login

A high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System 1.0 allows remote attackers to exploit the admin login page via an unsanitized email parameter, enabling authentication bypass and data exfiltration.

4 min read
Back to all Security Alerts