CVE-2026-9444

4.7 MEDIUM

A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0

Published: 2026-05-25 · Last updated: 2026-05-26

Severity and scoring

CVSS: 4.7 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74, CWE-89

Description

A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9444
[Other]https://gist.github.com/c4ttr4ck/5d05aaee5b43f259ebe8bb8bce5c658f
[Other]https://vuldb.com/submit/813611
[Other]https://vuldb.com/vuln/365425
[Other]https://vuldb.com/vuln/365425/cti
[Other]https://www.sourcecodester.com/

Related CVEs

Same CWE

CVE-2026-52715 — Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions (9.3 CRITICAL)
CVE-2026-52712 — Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions (7.6 HIGH)
CVE-2026-49772 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events C... (9.3 CRITICAL)
CVE-2026-39581 — Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions (8.5 HIGH)
CVE-2026-39574 — Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions (9.3 CRITICAL)