CVE-2026-14694

MEDIUM

SourceCodester Multi-Vendor Online Grocery Management System POST Parameter Master.php cancel_order sql injection

Title source: cna
STIX 2.1

Description

A vulnerability has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this issue is the function cancel_order of the file classes/Master.php of the component POST Parameter Handler. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References (6)

Core 6
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-376290 | SourceCodester Multi-Vendor Online Grocery Management System POST Parameter Master.php cancel_order sql injection
https://vuldb.com/vuln/376290
Signature, Permissions Required signature permissions-required
VDB-376290 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/376290/cti
Third Party Advisory third-party-advisory
CVE-2026-14694 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14694
Third Party Advisory third-party-advisory
Submit #846834 | SourceCodester Multi-Vendor Online Grocery Management System 1.0 SQL Injection
https://vuldb.com/submit/846834
Exploit exploit issue-tracking
https://github.com/lee945/cve/issues/5

Scores

CVSS v3 6.3
EPSS 0.0020
EPSS Percentile 10.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-74 CWE-89
Status published
Products (1)
SourceCodester/Multi-Vendor Online Grocery Management System 1.0
Published Jul 05, 2026
Tracked Since Jul 05, 2026