CVE Catalog

CVE-2026-14694

MediumCVSS 6.3
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A SQL injection vulnerability has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0 in the cancel_order function of classes/Master.php. Manipulation of the ID argument in POST requests allows SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.

Risk Assessment

The risk involves the possibility of remote execution of unauthorized SQL queries, which could lead to data leakage, modification, or deletion, as well as potential system compromise.

Recommendation

Immediately update the system to the latest version or apply a security patch. Additionally, implement input validation and sanitization for all user inputs, especially the ID argument in POST requests.

Original NVD description (English source)

A vulnerability has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this issue is the function cancel_order of the file classes/Master.php of the component POST Parameter Handler. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS