CVE-2026-9447

HIGH

SourceCodester Simple POS and Inventory System search.php sql injection

Title source: cna

Description

A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-365428 | SourceCodester Simple POS and Inventory System search.php sql injection

https://vuldb.com/vuln/365428

Signature, Permissions Required signature permissions-required

VDB-365428 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365428/cti

Third Party Advisory third-party-advisory

Submit #813614 | POS Inventory System 1.0 Reflected Cross-Site Scripting (XSS) + SQL Injection

https://vuldb.com/submit/813614

Exploit exploit

https://gist.github.com/c4ttr4ck/24c157c90227c3f5cd5e5d871449fed8

Product product

https://www.sourcecodester.com/

Scores

CVSS v3 7.3

EPSS 0.0032

EPSS Percentile 23.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

SourceCodester/Simple POS and Inventory System 1.0

Published May 25, 2026

Tracked Since May 25, 2026