CVE-2026-5033: SQL Injection in Accounting System Customer View Module
A SQL injection vulnerability tracked as CVE-2026-5033 has been disclosed in code-projects Accounting System 1.0, a PHP-based open-source accounting management application. The flaw resides in the /view_costumer.php endpoint's cos_id parameter handler and is remotely initiatable, carrying a CVSS v3.1 score of 7.3 (High) under CWE-89.
The vulnerability is notable for affecting an accounting application — a context where a database typically contains particularly sensitive financial records, customer billing data, and transaction histories. Exploitation could expose far more sensitive data than a typical web application SQLi.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5033 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | code-projects Accounting System 1.0 |
| Vulnerable File | /view_costumer.php |
| Vulnerable Parameter | cos_id |
| Attack Vector | Network (Remote) |
| Authentication Required | Low |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability is in the customer detail view module. The /view_costumer.php file (note the typo in the filename — a common indicator of hastily written code) accepts a cos_id GET parameter to look up a specific customer record. This parameter is directly concatenated into a SQL query without validation, encoding, or use of prepared statements.
Exploitation Mechanism
An attacker who can reach the customer view endpoint can inject SQL via the cos_id parameter:
/view_costumer.php?cos_id=1' OR '1'='1
/view_costumer.php?cos_id=1 UNION SELECT NULL,NULL,NULL,NULL,NULL--
/view_costumer.php?cos_id=1' AND 1=2 UNION SELECT username,password,email,NULL,NULL FROM users--
In an accounting application context, exploitation may expose:
- Customer financial records — billing history, outstanding balances, payment details
- Invoice and transaction data — full transaction history accessible via UNION injection
- Business financial data — account balances, revenue records, cost data
- Administrative credentials — usernames and passwords for the accounting system
- Tax and regulatory data — any stored tax IDs, business identifiers, or compliance records
Attack Flow
1. Attacker identifies an internet-accessible Accounting System 1.0 deployment
2. Attacker crafts malicious cos_id parameter targeting /view_costumer.php
3. Server embeds unsanitized cos_id into SQL query and executes it
4. Injected SQL returns customer, financial, or credential records
5. Attacker exfiltrates financial data, admin credentials, and customer PII
6. Data is leveraged for fraud, extortion, or further system access
Elevated Risk Profile for Accounting Applications
SQL injection in accounting software carries elevated risk compared to general web applications:
| Risk Factor | Description |
|---|---|
| Financial Data | Accounting systems store revenue, expenses, invoices, and payment records |
| Customer Billing PII | Names, addresses, payment terms, and contact data for all clients |
| Business Intelligence | Competitor advantage from exposed financial performance data |
| Regulatory Exposure | Financial records may be subject to GDPR, PCI DSS, or SOX requirements |
| Fraud Enablement | Access to invoice data could enable business email compromise or invoice fraud |
Remediation
Immediate Steps
- Restrict
/view_costumer.php— Block this endpoint from internet access immediately - Audit all
cos_idusage throughout the codebase for similar unparameterized queries - Deploy WAF — Enable SQL injection rules on all PHP application endpoints
- Inventory the database — Identify what financial and personal data is stored and potentially exposed
- Rotate credentials — All application and database passwords should be changed
- Review access logs — Check for anomalous requests to
/view_costumer.phpthat may indicate prior exploitation
Code-Level Fix
// Vulnerable pattern
$query = "SELECT * FROM customers WHERE cos_id = " . $_GET['cos_id'];
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("SELECT * FROM customers WHERE cos_id = ?");
$stmt->execute([$_GET['cos_id']]);Broader Codebase Audit
Given the prevalence of SQL injection CVEs across code-projects PHP applications, operators should audit every file for raw $_GET and $_POST variable usage in query strings. A grep scan for mysql_query, mysqli_query, or string-concatenated SQL is a reasonable starting point:
grep -rn "\$_GET\|\$_POST" *.php | grep -i "query\|SELECT\|INSERT\|UPDATE"Impact Assessment
| Impact Area | Description |
|---|---|
| Financial Data Exposure | Full accounting database — invoices, balances, transactions — accessible |
| Customer PII | All customer records including billing and contact data at risk |
| Credential Theft | Admin passwords extractable, enabling full system takeover |
| Regulatory Breach | Financial data exposure may trigger GDPR or financial compliance notification obligations |
| Fraud Risk | Invoice and billing data enables targeted business email compromise attacks |
Key Takeaways
- CVE-2026-5033 is a CVSS 7.3 SQL injection in code-projects Accounting System 1.0, affecting the customer detail view endpoint
- The cos_id parameter in
/view_costumer.phpis unsanitized, enabling full database access from remote attackers - Accounting applications store particularly sensitive financial data — the impact of exploitation is elevated compared to general web apps
- No official patch — restrict all access to this application until a code audit and fix is completed
- This follows a pattern of multiple SQL injection vulnerabilities across the code-projects PHP portfolio — treat all their applications as unaudited for production use