CVE-2026-37431: Beauty Parlour Management System SQL Injection (CVSS 9.8)

Overview

A critical SQL injection vulnerability has been identified in Beauty Parlour Management System v1.1, a PHP-based appointment and salon management web application. The flaw, tracked as CVE-2026-37431, carries a CVSS v3.1 base score of 9.8 (Critical) and requires no authentication to exploit.

The vulnerability resides in the /appointment-detail.php endpoint, where the aptnumber parameter is passed directly to the SQL query without sanitization or parameterization. An attacker can submit a crafted SQL statement to extract, modify, or delete records from the underlying database.

Technical Details

Field	Value
CVE ID	CVE-2026-37431
CVSS Score	9.8 (Critical)
Attack Vector	Network
Authentication	None required
Affected Component	`/appointment-detail.php` — `aptnumber` parameter
Vulnerability Type	SQL Injection (CWE-89)
Affected Version	Beauty Parlour Management System v1.1

Exploitation

The vulnerability is a classic error-based or UNION-based SQL injection in a GET or POST parameter. Because no authentication is required, any unauthenticated user with network access to the application can:

Enumerate database names, tables, and columns
Extract customer PII, appointment records, and payment information
Retrieve admin credentials (hashed or plaintext)
In some configurations, write files or execute OS commands via INTO OUTFILE or LOAD_FILE

Example of a vulnerable request pattern:

GET /appointment-detail.php?aptnumber=1' OR 1=1-- -

Tools such as sqlmap can fully automate database extraction against this endpoint with no special configuration.

Impact

Salon and beauty management systems typically store:

Customer names, phone numbers, and email addresses
Appointment histories and service records
Staff information and access credentials
Payment or invoice records

A successful exploitation could result in a full data breach of all records stored in the application's database, as well as potential lateral movement if database credentials are reused.

Remediation

Update immediately: Check with the software vendor or project maintainers for a patched release.
Use parameterized queries: Replace all dynamic SQL string concatenation with prepared statements using PDO or MySQLi.
Input validation: Enforce strict type-checking on numeric parameters such as aptnumber.
Web Application Firewall (WAF): Deploy a WAF rule to detect and block SQL injection payloads as a short-term mitigation.
Restrict network access: If the application is only needed internally, remove public internet exposure until patched.

References

Overview

Technical Details

Field	Value
CVE ID	CVE-2026-37431
CVSS Score	9.8 (Critical)
Attack Vector	Network
Authentication	None required
Affected Component	`/appointment-detail.php` — `aptnumber` parameter
Vulnerability Type	SQL Injection (CWE-89)
Affected Version	Beauty Parlour Management System v1.1

Exploitation

Enumerate database names, tables, and columns

Extract customer PII, appointment records, and payment information

Retrieve admin credentials (hashed or plaintext)

In some configurations, write files or execute OS commands via INTO OUTFILE or LOAD_FILE

Example of a vulnerable request pattern:

GET /appointment-detail.php?aptnumber=1' OR 1=1-- -

Tools such as sqlmap can fully automate database extraction against this endpoint with no special configuration.

Impact

Salon and beauty management systems typically store:

Customer names, phone numbers, and email addresses

Appointment histories and service records

Staff information and access credentials

Payment or invoice records

A successful exploitation could result in a full data breach of all records stored in the application's database, as well as potential lateral movement if database credentials are reused.

Remediation

Update immediately: Check with the software vendor or project maintainers for a patched release.

Use parameterized queries: Replace all dynamic SQL string concatenation with prepared statements using PDO or MySQLi.

Input validation: Enforce strict type-checking on numeric parameters such as aptnumber.

Web Application Firewall (WAF): Deploy a WAF rule to detect and block SQL injection payloads as a short-term mitigation.

Restrict network access: If the application is only needed internally, remove public internet exposure until patched.

CVE-2026-37431: Beauty Parlour Management System SQL Injection (CVSS 9.8)

Affected Products

Overview

Technical Details

Exploitation

Impact

Remediation

References

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

CVE-2026-41583: ZEBRA Zcash Node Consensus Rule Bypass (CVSS 9.1)

CVE-2026-41588: RELATE Courseware Timing Attack in Authentication (CVSS 9.0)

CVE-2026-37431: Beauty Parlour Management System SQL Injection (CVSS 9.8)

Affected Products

Overview

Technical Details

Exploitation

Impact

Remediation

References

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

CVE-2026-41583: ZEBRA Zcash Node Consensus Rule Bypass (CVSS 9.1)

CVE-2026-41588: RELATE Courseware Timing Attack in Authentication (CVSS 9.0)