Overview
A high-severity SQL injection vulnerability has been discovered in the SourceCodester Multi-Vendor Online Grocery Management System version 1.0. The flaw resides in the save_client function located in classes/Users.php, which handles new user registrations. By manipulating the Name parameter submitted during registration, an unauthenticated attacker can inject arbitrary SQL commands into the underlying database query.
This vulnerability has been assigned CVE-2026-14695 and carries a CVSS base score of 7.3 (High), reflecting its remotely exploitable nature and potential for significant data exposure.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-14695 |
| CVSS Score | 7.3 (High) |
| Attack Vector | Network (Remote) |
| Authentication | None required |
| Affected File | classes/Users.php — save_client() function |
| Vulnerable Parameter | Name (Registration Handler) |
| Vendor | SourceCodester |
| Affected Version | Multi-Vendor Online Grocery Management System 1.0 |
The save_client function fails to properly sanitize or parameterize the Name field before incorporating it into a SQL query. An attacker submitting a crafted registration request can inject SQL syntax (e.g., ' OR '1'='1) to alter query logic, extract data, or in some configurations escalate to command execution via INTO OUTFILE or similar techniques.
Impact
Successful exploitation of this vulnerability could allow an attacker to:
- Bypass authentication controls using boolean-based injection payloads
- Extract sensitive data from the database, including credentials, customer PII, and vendor information
- Modify or delete records within the application database
- Potentially achieve remote code execution on misconfigured servers via SQL-based file write operations
In a multi-vendor grocery platform, a database compromise can expose payment details, order histories, and personal information for all registered users and vendors.
Proof of Concept
The vulnerability can be triggered by submitting a malformed Name field to the registration endpoint. Typical SQL injection probes include:
Name=test' OR '1'='1'--
Name=test'; DROP TABLE users;--
Name=test' UNION SELECT 1,2,3,database()--
These payloads manipulate the SQL query built inside save_client(), which lacks prepared statements or input sanitization.
Remediation
SourceCodester has not released an official patch at the time of publication. Until a patch is available, administrators should apply the following mitigations:
- Use prepared statements / parameterized queries — Replace raw string interpolation in
save_client()with PDO or MySQLi prepared statements. - Input validation — Strip or reject input containing SQL metacharacters (
',",;,--,/*). - Web Application Firewall (WAF) — Deploy a WAF with SQL injection detection rules in front of the application.
- Restrict database privileges — Ensure the application's database user has only the minimum required permissions (no
FILEprivilege). - Disable public-facing registration if not required, or add CAPTCHA and rate limiting to slow automated exploitation.