MEDIUM 4.7

CVE-2026-10155: SQL Injection in Bdtask Multi-Store Inventory Management System 1.0

A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Bdtask Multi-Store Inventory Management System 1.0. The impacted element is the function accounts_report_search of the file application/modules/accounts/controllers/Accounts.php of the component Accounts Report Handler. Performing a manipulation of the argument dtpToDate results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10155 is a remote SQL injection vulnerability (CWE-89, CWE-74) in the accounts_report_search() function of application/modules/accounts/controllers/Accounts.php. The dtpToDate parameter accepts user input without proper sanitization or parameterized query protection, allowing authenticated users with high privileges to craft SQL payloads. The vulnerability requires network access and high-privilege credentials but no user interaction. CVSS 3.1 score of 4.7 (MEDIUM) reflects limited confidentiality and integrity impact constrained by privilege requirements.

Business impact

Organizations using Bdtask Multi-Store Inventory Management System 1.0 face exposure of financial records, account balances, and transaction history through data exfiltration. Attackers with administrative or reporting access could also modify account data to conceal fraud, redirect payments, or corrupt audit trails. Service disruption is possible if injected queries consume resources or crash the database. The availability of public exploit code elevates the likelihood of opportunistic attacks against this system.

Affected systems

Bdtask Multi-Store Inventory Management System version 1.0 is directly affected. Organizations should verify their deployment version immediately. The vulnerability is limited to authenticated users with high-privilege roles (those authorized to access the Accounts Report module), but insider threats and compromised administrative accounts present realistic attack vectors.

Exploitability

Exploitation requires network access and high-privilege authentication credentials. The barrier to exploitation is moderate—attackers must possess legitimate or compromised high-privilege account credentials. However, the publication of exploit code removes technical barriers and increases the likelihood that opportunistic attackers will attempt to leverage this vulnerability if they gain administrative access through phishing, credential theft, or lateral movement. No user interaction or low-privilege escalation is needed once authenticated.

Remediation

Upgrade Bdtask Multi-Store Inventory Management System to a patched version released after June 17, 2026 (verify against the vendor advisory for specific version number). Implement input validation and use parameterized queries for all database interactions in the Accounts module. Apply the principle of least privilege—restrict Accounts Report access to only users who require it for legitimate business functions. Deploy web application firewalls to detect and block SQL injection patterns targeting the dtpToDate parameter.

Patch guidance

Verify the latest security patch from Bdtask through their official website or support portal. Apply patches in a controlled test environment before production deployment. If an immediate patch is unavailable, implement compensating controls: restrict network access to the Accounts module to trusted internal IP ranges, enforce multi-factor authentication for high-privilege accounts, and monitor database query logs for suspicious SQL syntax patterns. Document the patch application date and tested version number for compliance records.

Detection guidance

Monitor database query logs for unusual SQL syntax in WHERE clauses involving the dtpToDate field—look for UNION SELECT, INTO, OR 1=1, and time-delay payloads. Track access to the Accounts Report search function; establish baseline usage patterns and alert on anomalies. Implement Web Application Firewall (WAF) rules to block requests containing common SQL injection keywords in the dtpToDate parameter. Review authentication logs for high-privilege account logins from unexpected locations or times. Set up alerting for database errors or slow queries that may indicate failed or resource-intensive injection attempts.

Why prioritize this

Although CVSS 3.1 rates this as MEDIUM severity, prioritize it for organizations where the Bdtask system handles sensitive financial data or where high-privilege account compromise is plausible (e.g., smaller teams with shared credentials). The public availability of exploit code and the remote, unauthenticated network accessibility make this an active threat. Organizations should patch within 30 days unless mitigating controls are in place. Lower priority for air-gapped deployments or systems with strict administrative access controls already enforced.

Risk score, explained

CVSS 3.1 score of 4.7 reflects: remote network accessibility (AV:N), low attack complexity (AC:L), high privilege requirement (PR:H), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The score is tempered by the privilege barrier but elevated by ease of exploitation and data sensitivity typical in financial systems. The public exploit availability effectively lowers real-world barriers below the CVSS assumption that exploits are not readily available.

Frequently asked questions

Do we need to patch immediately if we've restricted Accounts Report access to a small team?

Prioritize patching within 30 days, but your control reduces urgent risk. Implement additional mitigations: enforce multi-factor authentication, monitor database logs for injection patterns, and conduct credential hygiene reviews. If a team member's account is compromised externally (e.g., phishing), the restriction alone won't stop abuse.

Can a low-privilege user escalate to exploit this vulnerability?

No—the vulnerability requires high-privilege authentication credentials. However, the distinction between 'high privilege' and 'low privilege' depends on your role-based access control (RBAC) design. Verify exactly which roles can access the Accounts Report module and audit whether those roles are more broadly assigned than necessary.

Will a Web Application Firewall (WAF) protect us if we can't patch immediately?

A WAF can reduce risk by blocking common SQL injection payloads targeting the dtpToDate parameter. However, WAF protection is not a substitute for patching—sophisticated attackers may bypass WAF rules, and the fix should remain your primary goal. Use WAF as a temporary compensating control while you plan and execute the upgrade.

Should we be concerned about this if our Bdtask system is air-gapped or internal-only?

Air-gapped or well-segmented systems have lower immediate risk from remote exploitation, but insider threats or accidental exposure (e.g., VPN misconfiguration) remain possible. Audit your network architecture and access controls. Even for isolated systems, apply patches within 60 days to maintain security posture.

This analysis is for informational purposes and based on publicly available vulnerability data as of June 17, 2026. SEC.co does not conduct independent verification of vendor patch status or product versions. Organizations should verify patch availability directly with Bdtask and test thoroughly in non-production environments before deployment. CVSS scores represent base metrics; your organization's risk may differ based on deployment context, network isolation, and access controls. This does not constitute legal advice or a guarantee of security. Consult your security team and vendor documentation for implementation-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).