PatchSiren cyber security CVE debrief
CVE-2026-10155 Bdtask CVE debrief
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System 1.0, specifically within the `accounts_report_search` function in `application/modules/accounts/controllers/Accounts.php`. The `dtpToDate` parameter is susceptible to manipulation, allowing remote attackers to inject arbitrary SQL commands. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required user interaction, and high privileges required (PR:H), resulting in low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed. The vulnerability was published on 2026-05-31.
- Vendor
- Bdtask
- Product
- Multi-Store Inventory Management System
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-31
- Original CVE updated
- 2026-05-31
- Advisory published
- 2026-05-31
- Advisory updated
- 2026-05-31
Who should care
Organizations running Bdtask Multi-Store Inventory Management System 1.0, particularly those with externally accessible instances. Security teams responsible for PHP application security and database integrity. Developers maintaining legacy inventory management systems using this codebase.
Technical summary
The vulnerability is a SQL injection flaw in the `accounts_report_search` function of `application/modules/accounts/controllers/Accounts.php` in Bdtask Multi-Store Inventory Management System 1.0. The `dtpToDate` parameter lacks proper sanitization, allowing attackers to manipulate SQL queries remotely. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/E:P) reflects network accessibility, low attack complexity, high privilege requirements, low impact across CIA triad, and public exploit availability. The vulnerability status in NVD is 'Received' as of publication.
Defensive priority
low
Recommended defensive actions
- Apply input validation and parameterized queries to the dtpToDate parameter in the accounts_report_search function
- Review and sanitize all user-supplied inputs in the Accounts Report Handler component
- Monitor for unauthorized database access attempts targeting the Accounts module
- Apply vendor patches when available, or restrict access to the affected application pending remediation
- Consider implementing a Web Application Firewall (WAF) rule to detect SQL injection patterns in date parameter fields
Evidence notes
Vulnerability identified in Bdtask Multi-Store Inventory Management System 1.0. The affected component is the Accounts Report Handler, specifically the `accounts_report_search` function in `application/modules/accounts/controllers/Accounts.php`. The `dtpToDate` parameter is the injection point. CVSS 4.0 score of 2.0 (LOW severity). Public exploit availability confirmed. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in SQL Command) identified as weakness classifications.
Official resources
Public