{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4838", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-25T14:28:50.741Z", "datePublished": "2026-03-26T02:31:42.360Z", "dateUpdated": "2026-03-28T02:09:34.934Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T22:23:41.423Z"}, "title": "SourceCodester Malawi Online Market display.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Malawi Online Market", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-25T15:34:22.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "WeQi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353141", "name": "VDB-353141 | SourceCodester Malawi Online Market display.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353141", "name": "VDB-353141 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776081", "name": "Submit #776081 | SourceCodester Malawi Online Market V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_8.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:09:21.642348Z", "id": "CVE-2026-4838", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:09:34.934Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:09:21.642348Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:09:30.364Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Malawi Online Market display.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "WeQi (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "product": "Malawi Online Market", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-25T15:34:22.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.353141", "name": "VDB-353141 | SourceCodester Malawi Online Market display.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353141", "name": "VDB-353141 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776081", "name": "Submit #776081 | SourceCodester Malawi Online Market V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_8.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T22:23:41.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4838", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:09:34.934Z", "dateReserved": "2026-03-25T14:28:50.741Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-26T02:31:42.360Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una falla en SourceCodester Malawi Online Market 1.0. El elemento afectado es una funci\u00f3n desconocida del archivo /display.PHP. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento ID puede conducir a una inyecci\u00f3n SQL. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Si desea obtener la mejor calidad para datos de vulnerabilidades, entonces siempre debe considerar VulDB."}], "id": "CVE-2026-4838", "lastModified": "2026-03-27T23:17:15.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T04:17:13.340", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_8.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353141"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353141"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776081"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Malawi Online Market", "source": "cna", "vendor": "SourceCodester"}, "product": "malawi_online_market", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-26T04:18:25.543015+00:00", "value": {"mitigation_remediation": ["Check SourceCodester\u2019s website or support channels for an official patch or update for Malawi Online Market 1.0.", "If no patch is available, modify the application to validate the ID parameter strictly, allowing only numeric values and rejecting all others.", "Implement prepared statements or stored procedures for database access in the vulnerable code to eliminate injection possibilities.", "Configure a web application firewall to block suspicious SQL patterns targeting the /display.php endpoint.", "Regularly monitor database logs for unexpected queries or unauthorized schema changes to detect exploitation attempts early."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected system is SourceCodester Malawi Online Market version 1.0, developed and hosted by SourceCodester.", "description_and_impact": "The vulnerability is an SQL injection flaw in the /display.php file of SourceCodester Malawi Online Market 1.0. Manipulating the ID argument allows an attacker to inject arbitrary SQL statements, potentially allowing unauthorized reading, modification, or deletion of database contents. The exploitation mechanism is available from a remote attacker and has already been published, meaning the flaw could be weaponised without local access. Documentation indicates that the faulty component is an unknown function, which likely fails to validate or parameterise user input, leading to the injection. This weakness, identified as CWE\u201174 and CWE\u201189, directly compromises data confidentiality and integrity and may extend to availability if large data manipulation occurs.", "risk_and_exploitability": "The CVSS score of 6.9 denotes a moderate to high severity level, and although the EPSS score is not available, the existence of a published exploit and the remote attack vector significantly increase the real-world risk. Attackers can trigger the injection simply by altering the ID parameter in an HTTP request to /display.php, making the vulnerability relatively easy to exploit for those who can reach the application. Consequently, the risk to impacted deployments is substantial, especially without mitigations in place."}}}}, "created": "2026-03-26T11:30:41.887017+00:00", "updated": "2026-03-26T12:08:42.350017+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$malawi_online_market"]}