Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)
SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)
SECURITYHIGHCVE-2026-14695

SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)

A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate database queries via the Name parameter in the user registration handler.

Dylan H.

Security Team

July 5, 2026
3 min read

Affected Products

  • SourceCodester Multi-Vendor Online Grocery Management System 1.0

Overview

A high-severity SQL injection vulnerability has been discovered in the SourceCodester Multi-Vendor Online Grocery Management System version 1.0. The flaw resides in the save_client function located in classes/Users.php, which handles new user registrations. By manipulating the Name parameter submitted during registration, an unauthenticated attacker can inject arbitrary SQL commands into the underlying database query.

This vulnerability has been assigned CVE-2026-14695 and carries a CVSS base score of 7.3 (High), reflecting its remotely exploitable nature and potential for significant data exposure.

Technical Details

FieldDetails
CVE IDCVE-2026-14695
CVSS Score7.3 (High)
Attack VectorNetwork (Remote)
AuthenticationNone required
Affected Fileclasses/Users.php — save_client() function
Vulnerable ParameterName (Registration Handler)
VendorSourceCodester
Affected VersionMulti-Vendor Online Grocery Management System 1.0

The save_client function fails to properly sanitize or parameterize the Name field before incorporating it into a SQL query. An attacker submitting a crafted registration request can inject SQL syntax (e.g., ' OR '1'='1) to alter query logic, extract data, or in some configurations escalate to command execution via INTO OUTFILE or similar techniques.

Impact

Successful exploitation of this vulnerability could allow an attacker to:

  • Bypass authentication controls using boolean-based injection payloads
  • Extract sensitive data from the database, including credentials, customer PII, and vendor information
  • Modify or delete records within the application database
  • Potentially achieve remote code execution on misconfigured servers via SQL-based file write operations

In a multi-vendor grocery platform, a database compromise can expose payment details, order histories, and personal information for all registered users and vendors.

Proof of Concept

The vulnerability can be triggered by submitting a malformed Name field to the registration endpoint. Typical SQL injection probes include:

Name=test' OR '1'='1'--
Name=test'; DROP TABLE users;--
Name=test' UNION SELECT 1,2,3,database()--

These payloads manipulate the SQL query built inside save_client(), which lacks prepared statements or input sanitization.

Remediation

SourceCodester has not released an official patch at the time of publication. Until a patch is available, administrators should apply the following mitigations:

  1. Use prepared statements / parameterized queries — Replace raw string interpolation in save_client() with PDO or MySQLi prepared statements.
  2. Input validation — Strip or reject input containing SQL metacharacters (', ", ;, --, /*).
  3. Web Application Firewall (WAF) — Deploy a WAF with SQL injection detection rules in front of the application.
  4. Restrict database privileges — Ensure the application's database user has only the minimum required permissions (no FILE privilege).
  5. Disable public-facing registration if not required, or add CAPTCHA and rate limiting to slow automated exploitation.

References

  • NVD — CVE-2026-14695
  • OWASP SQL Injection Prevention Cheat Sheet
#CVE-2026-14695#SQL Injection#SourceCodester#Web Security#PHP#E-Commerce

Related Articles

SQL Injection in Pizzafy E-Commerce System Exposes Order Data (CVE-2026-14713)

A remotely exploitable SQL injection flaw in SourceCodester Pizzafy E-Commerce System 1.0 allows attackers to manipulate the confirm_order endpoint via an unsanitized ID parameter, threatening customer and order data.

3 min read

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read

CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote exploitation via an unsanitized user_id parameter.

3 min read
Back to all Security Alerts