CVE-2026-14695
HighCVSS 7.3Summary
A SQL injection vulnerability was found in SourceCodester Multi-Vendor Online Grocery Management System 1.0 in the save_client function of classes/Users.php. Manipulation of the Name argument in the Registration Handler allows remote SQL injection. The exploit has been made public and could be used.
Risk Assessment
An attacker can remotely steal, modify, or delete database data, compromising the confidentiality and integrity of the grocery management system data.
Recommendation
Immediately update the system to the latest version or apply a security patch that sanitizes input in the Name argument. Until then, temporarily disable the registration function or use a Web Application Firewall (WAF).
Original NVD description (English source)
A vulnerability was found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_client of the file classes/Users.php of the component Registration Handler. The manipulation of the argument Name results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

