PatchSiren cyber security CVE debrief
CVE-2026-9411 SourceCodester CVE debrief
A SQL injection vulnerability exists in SourceCodester Indian Invoicing System 1.0, specifically within the /Invoicing/IGST_Invoice.php file's Invoice Generation Handler component. The vulnerability allows remote attackers to manipulate the customer_name or category parameters to inject malicious SQL commands. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges but no user interaction, with low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed. The CVE was published on 2026-05-25 and last modified on 2026-05-26. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in an SQL Command).
- Vendor
- SourceCodester
- Product
- Indian Invoicing System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running SourceCodester Indian Invoicing System 1.0; security teams monitoring for SQL injection attacks; developers maintaining PHP-based invoicing applications
Technical summary
The vulnerability resides in the IGST_Invoice.php file of SourceCodester Indian Invoicing System 1.0. Insufficient input validation on the customer_name and category parameters allows attackers to inject arbitrary SQL commands. The attack can be executed remotely with low privileges. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P) indicates network accessibility, low complexity, and public exploit availability with low impact across confidentiality, integrity, and availability dimensions.
Defensive priority
medium
Recommended defensive actions
- Review and sanitize all user inputs to the customer_name and category parameters in IGST_Invoice.php
- Implement parameterized queries or prepared statements to prevent SQL injection
- Apply principle of least privilege to database accounts used by the application
- Monitor for suspicious database query patterns and failed authentication attempts
- Consider web application firewall (WAF) rules to detect and block SQL injection attempts
- Review access logs for exploitation attempts against /Invoicing/IGST_Invoice.php
Evidence notes
Vulnerability identified in SourceCodester Indian Invoicing System 1.0. Affected endpoint: /Invoicing/IGST_Invoice.php. Vulnerable parameters: customer_name, category. CVSS 4.0 score: 2.1 (LOW). Public exploit available per Vuldb submission.
Official resources
public