PatchSiren cyber security CVE debrief
CVE-2026-10263 SourceCodester CVE debrief
A SQL injection vulnerability exists in SourceCodester Computer Repair Shop Management System up to version 1.0. The vulnerability is located in the /admin/products/manage_product.php file, where manipulation of the ID parameter allows an attacker to inject arbitrary SQL commands. The attack vector is network-based and does not require authentication, making it remotely exploitable. The vulnerability has been publicly disclosed and assigned a CVSS 4.0 score of 5.5 (MEDIUM severity). The weakness is categorized under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vendor attribution is currently uncertain, with the reference domain candidate pointing to Vuldb; this requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- SourceCodester
- Product
- Computer Repair Shop Management System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running SourceCodester Computer Repair Shop Management System version 1.0 or earlier; security teams managing PHP-based web applications; database administrators responsible for application security; incident response teams monitoring for public exploit activity against small business management software.
Technical summary
The vulnerability is a classic SQL injection flaw in a PHP web application. The endpoint /admin/products/manage_product.php accepts an ID parameter that is not properly sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can manipulate this parameter to alter the structure of the executed SQL statement, potentially enabling unauthorized data access, modification, or deletion. The CVSS 4.0 score of 5.5 reflects limited impacts to confidentiality, integrity, and availability. The exploit has been made public, increasing the risk of active exploitation. The vendor field is marked as unknown with low confidence, requiring verification against the actual software maintainer.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries (prepared statements) to the ID parameter in /admin/products/manage_product.php
- Restrict database account privileges to least-privilege principles to limit impact of successful injection
- Monitor web application logs for suspicious SQL patterns in requests to /admin/products/manage_product.php
- Contact SourceCodester or the software maintainer to confirm vendor attribution and request a security patch
- Review and update web application firewall (WAF) rules to detect and block SQL injection attempts against the identified endpoint
Evidence notes
The vulnerability was published on 2026-06-01. The affected product is identified as SourceCodester Computer Repair Shop Management System up to version 1.0. The specific vulnerable file is /admin/products/manage_product.php with the ID parameter as the injection point. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), with partial impacts to confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit availability is marked as proof-of-concept (E:P). Vendor attribution confidence is low based on reference domain candidate analysis.
Official resources
public