CVE-2026-10235: CodeAstro Ingredients Stock Management SQL Injection Vulnerability
CodeAstro Ingredients Stock Management System version 1.0 contains a SQL injection vulnerability in its stock manager component. An authenticated attacker can manipulate the txt_search_category parameter in the /Ingredients-Stock/stock_manager.php file to execute arbitrary SQL queries. This allows unauthorized data access, modification, or deletion within the application's database. The vulnerability requires valid login credentials but can be exploited over the network without user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A flaw has been found in CodeAstro Ingredients Stock Management System 1.0. This vulnerability affects unknown code of the file /Ingredients-Stock/stock_manager.php. This manipulation of the argument txt_search_category causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10235 is a SQL injection flaw (CWE-89, CWE-74) affecting CodeAstro Ingredients Stock Management System 1.0. The vulnerability exists in stock_manager.php where the txt_search_category input parameter is not properly sanitized before use in SQL queries. An authenticated remote attacker can craft malicious SQL payloads to bypass query logic, exfiltrate data, or modify database contents. The CVSS v3.1 score of 6.3 reflects network accessibility combined with the requirement for prior authentication. Public exploit code is available, increasing practical exploitation risk.
Business impact
Organizations deploying CodeAstro Ingredients Stock Management System 1.0 face potential data breaches involving inventory records, supplier information, and possibly customer data stored in the application database. Attackers with valid credentials—whether obtained through phishing, credential reuse, or insider access—can silently access or corrupt stock data, leading to inventory discrepancies, supply chain disruption, and compliance violations. The public availability of exploit code lowers the barrier to opportunistic attacks by less-skilled threat actors.
Affected systems
CodeAstro Ingredients Stock Management System version 1.0 is the confirmed affected release. Organizations should audit deployments of this product immediately. The vulnerability applies to all instances regardless of deployment environment (on-premises, cloud-hosted, or hybrid). Systems with network exposure and active user accounts are at highest risk.
Exploitability
Exploitation requires valid authentication credentials to access the application, which moderately raises the attack barrier compared to unauthenticated vulnerabilities. However, the flaw is trivial to exploit once authenticated—standard SQL injection payloads applied to the txt_search_category parameter will work reliably. The published exploit reduces development time for attackers. Threat actors can abuse compromised or weak employee accounts, or combine this flaw with credential-harvesting campaigns targeting organizations known to use the product.
Remediation
Upgrade to a patched version released by CodeAstro following this advisory. Verify patch availability and version numbers directly from the vendor's security advisory or release notes. Until patching is possible, implement strict input validation on the txt_search_category parameter by using parameterized queries or prepared statements. Apply database access controls to limit query scope and implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns.
Patch guidance
Contact CodeAstro for official patch information and deployment guidance specific to your version and environment. Verify patch availability before scheduling maintenance windows. Test patches in a staging environment mirroring your production configuration. After patching, confirm the fix by re-testing with known SQL injection payloads in a controlled setting. Document patch application date and version for compliance records.
Detection guidance
Monitor application logs for unusual SQL syntax in txt_search_category parameters, including SQL keywords (UNION, SELECT, OR, AND) within user input. Review database query logs for unexpected or high-volume queries originating from authenticated sessions. Set up alerts for failed login attempts followed by successful authentication, which may indicate credential compromise. Use Web Application Firewall logs to identify blocked SQL injection attempts. Endpoint Detection and Response (EDR) tools can flag suspicious database activity patterns.
Why prioritize this
Although the CVSS score is moderate (6.3), the combination of public exploit availability, authenticated-but-easy exploitation, and potential for data exfiltration or manipulation warrant prompt attention. Organizations should prioritize patching within 2–4 weeks based on inventory criticality and the presence of sensitive data in the application database. Exposure assessment should identify which user accounts have active access to the system.
Risk score, explained
The CVSS v3.1 score of 6.3 (MEDIUM) reflects: network accessibility (AV:N) lowering friction; low attack complexity (AC:L) due to straightforward SQL injection; requirement for prior login (PR:L) limiting attack surface; no scope change (S:U); and confidentiality, integrity, and availability impacts all at low level (C:L/I:L/A:L). The moderate score does not account for the published exploit, which increases practical risk beyond the base metric.
Frequently asked questions
Do we need to be logged in to exploit this?
Yes. The vulnerability requires valid authentication credentials. However, this is not a strong barrier if attackers obtain credentials through phishing, credential stuffing, or insider threats. Employees with access to the application are potential attack vectors.
Is this on the CISA Known Exploited Vulnerabilities (KEV) catalog?
No, this vulnerability is not currently listed in the CISA KEV catalog. However, public exploit code exists, which means active exploitation may occur without CISA designation. Organizations should not use KEV status as the sole basis for prioritization.
What data can an attacker steal using this SQL injection?
An attacker can query any data accessible to the application's database user account—typically inventory records, supplier details, transaction history, and potentially user credentials stored in the database. The scope depends on database permissions and what data the application manages. Conduct a data inventory review for your deployment.
Can this be exploited without network access?
No. The vulnerability is exploitable remotely over the network (AV:N). If your CodeAstro instance is only accessible from an internal network or VPN, the risk is reduced, but internal threat actors or compromised internal systems can still exploit it.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co makes no warranty regarding the accuracy or completeness of vendor patch information. Organizations must verify patch availability and compatibility with their specific deployments directly with CodeAstro. This document does not constitute professional security advice. Consult your internal security team or a qualified cybersecurity vendor for guidance tailored to your environment and risk profile. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface