CVE-2021-38840

CRITICAL

Simple Water Refilling Station Management System 1.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-38840. PoCs published by Matt Sorrell.

AI-analyzed exploit summary This exploit leverages a SQL injection to bypass authentication and an unrestricted file upload vulnerability to achieve remote code execution (RCE) in Simple Water Refilling Station Management System 1.0. It uploads a PHP shell and triggers a reverse shell payload based on the target OS.

Description

SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.

Exploits (2)

exploitdb WORKING POC
by Matt Sorrell · pythonwebappsphp
https://www.exploit-db.com/exploits/50205

This exploit leverages a SQL injection to bypass authentication and an unrestricted file upload vulnerability to achieve remote code execution (RCE) in Simple Water Refilling Station Management System 1.0. It uploads a PHP shell and triggers a reverse shell payload based on the target OS.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Simple Water Refilling Station Management System 1.0
No auth needed
Prerequisites: Network access to the target · PHP execution permissions in the upload directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Matt Sorrell · textwebappsphp
https://www.exploit-db.com/exploits/50204

This exploit demonstrates an SQL injection vulnerability in the Simple Water Refilling Station Management System 1.0, allowing authentication bypass via a crafted POST request. The payload manipulates the username parameter to bypass login controls.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Simple Water Refilling Station Management System 1.0
No auth needed
Prerequisites: Access to the login endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory x_refsource_misc
https://www.sourcecodester.com/users/tips23
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50205
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50204
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38840

Scores

CVSS v3 9.8
EPSS 0.0247
EPSS Percentile 82.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
simple_water_refilling_station_management_system_project/simple_water_refilling_station_management_system 1.0
Published Sep 07, 2021
Tracked Since Feb 18, 2026