Sourcecodester Sourcecodester

  1. Vendors
  2. Sourcecodester

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Sourcecodester product.

RSS Feeds for Sourcecodester security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Sourcecodester products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Sourcecodester Sorted by Most Security Vulnerabilities since 2018

Sourcecodester Laboratory Management System8 vulnerabilities

Sourcecodester Company Website Cms7 vulnerabilities

Sourcecodester Best House Rental Management System6 vulnerabilities

Sourcecodester Student Grades Management System5 vulnerabilities

Sourcecodester Simple Pos Inventory System4 vulnerabilities

Sourcecodester Indian Invoicing System4 vulnerabilities

Sourcecodester Hospitals Patient Records Management System4 vulnerabilities

Sourcecodester Point Of Sales3 vulnerabilities

Sourcecodester Simple Customer Relationship Management System3 vulnerabilities

Sourcecodester Cab Management System2 vulnerabilities

Sourcecodester Survey Application System1 vulnerability

Sourcecodester Toll Tax Management System1 vulnerability

Sourcecodester Sup Online Shopping1 vulnerability

Sourcecodester Alumni Management System1 vulnerability

Sourcecodester Vehicle Management System1 vulnerability

Sourcecodester Downloading Client Database Management System1 vulnerability

Sourcecodester Best Salon Management System1 vulnerability

By the Year

In 2026 there have been 168 vulnerabilities in Sourcecodester with an average score of 5.8 out of ten. Last year, in 2025 Sourcecodester had 132 security vulnerabilities published. That is, 36 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.55




Year Vulnerabilities Average Score
2026 168 5.78
2025 132 6.33
2024 12 5.77
2023 1 7.20
2022 2 9.80
2021 6 8.45
2020 0 0.00
2019 2 0.00

It may take a day or so for new Sourcecodester vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Sourcecodester Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-9564 May 26, 2026
XSS Vulnerability in Hospitals Patient Records Management System 1.0 (Remarks) A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Hospitals Patient Records Management System
CVE-2026-9486 May 25, 2026
SourceCodester SGMS 1.0 Remote CSRF Vulnerability A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Student Grades Management System
CVE-2026-9485 May 25, 2026
XSS via Remarks in Student Grades Mgmt Sys 1.0 (students.php) A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Student Grades Management System
CVE-2026-9484 May 25, 2026
Improper Auth: SourceCodester Student Grades 1.0, Classroom.php A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Student Grades Management System
CVE-2026-9483 May 25, 2026
Impr. Auth in grades.php of SCS Student Grades Mgt 1.0 A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used.
Student Grades Management System
CVE-2026-9447 May 25, 2026
SQL Injection in SourceCodester Simple POS 1.0 via /user/search.php Name parameter A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Simple Pos Inventory System
CVE-2026-9446 May 25, 2026
SQL Injection in SourceCodester Simple POS v1.0 (edit_customer.php ID) A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Simple Pos Inventory System
CVE-2026-9445 May 25, 2026
SourceCodester Simple POS 1.0 Unrestricted File Upload in /admin/addproduct.php A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Simple Pos Inventory System
CVE-2026-9444 May 25, 2026
SQLi in SourceCodester Simple POS 1.0 deleteproduct.php via GET ID A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
Simple Pos Inventory System
CVE-2026-9414 May 25, 2026
XSS in SourceCodester Indian Invoicing System 0.x/1.0 (add_order.php) A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Indian Invoicing System
CVE-2026-9413 May 25, 2026
XSS in SourceCodester Indian Invoicing 1.0 /category.php msg A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Indian Invoicing System
CVE-2026-9412 May 25, 2026
Improper Access Control in SC Indian Invoicing 1.0 Backend Endpoint A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected.
Indian Invoicing System
CVE-2026-9411 May 25, 2026
SourceCodester Indian Invoicing System 1.0 SQLi in Invoice Gen Handler A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Indian Invoicing System
CVE-2026-9377 May 24, 2026
SourceCodester SUP Online Shopping 1.0 XSS via productName admin/productedit.php A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Sup Online Shopping
CVE-2026-9356 May 24, 2026
SQL Injection in manage_history.php of SourceCodester Hospital PMS 1.0 A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Hospitals Patient Records Management System
CVE-2026-9355 May 24, 2026
SourceCodester Hospitals PRM 1.0: SQLi via Master.php ID A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Hospitals Patient Records Management System
CVE-2026-9342 May 23, 2026
Remote SQLi in SourceCodester HPRMS 1.0 via view_history.php A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Hospitals Patient Records Management System
CVE-2026-8136 May 08, 2026
XSS in SourceCodester Pharmacy Sales & Inventory System 1.0 /index.php?page=users A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
CVE-2026-8131 May 08, 2026
SourceCodester SUP Online Shopping 1.0 SQLi via msgid in /admin/replymsg.php A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
CVE-2026-8130 May 08, 2026
SQLi via seenid in SourceCodester SUP Online Shopping 1.0 Admin/message.php A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVE-2026-8129 May 08, 2026
SQL Injection in wishlist.php (delwlistid) - SourceCodester SUP Online Shopping 1.0 A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVE-2026-8128 May 08, 2026
SUP ONLINE SHOPPING 1.0: Remote SQLi via msgid (viewmsg.php) A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2026-8126 May 08, 2026
SQLi in SourceCodester Comment System 1.0 via post_comment.php Name A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
CVE-2026-8117 May 07, 2026
XSS in SourceCodester Pizzafy 1.0 via admin/index.php 'page' arg A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
CVE-2026-8083 May 07, 2026
SourceCodester Pharmacy Sales 1.0 SQLi via ajax.php ID A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
CVE-2026-7746 May 04, 2026
SQLi via ID in edit-admin.php - Web-based Pharmacy PMS 1.0 A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product_expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVE-2026-7550 May 01, 2026
SourceCodester Pharmacy SIS 1.0 SQLi in ajax.php?action=save_customer A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /ajax.php?action=save_customer. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-7549 May 01, 2026
SourceCodester Pharmacy System 1.0: Remote SQLi in /ajax.php delete_customer A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=delete_customer. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
CVE-2026-7545 May 01, 2026
SourceCodester ASM 1.0 - checkEmail Endpoint SQLI Remote A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php of the component checkEmail Endpoint. This manipulation causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
CVE-2026-7506 Apr 30, 2026
SourceCodester HMS 1.0 SQLi via /index.php/reservation/check room_type A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-7447 Apr 30, 2026
SQLi via /admin/update_customer.php in SourceCodester Pet Grooming Management 1.0 A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/update_customer.php. This manipulation of the argument type/length/business parameter validity causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVE-2026-7410 Apr 29, 2026
SourceCodester Pizzafy Ecomm SQLi via pid in add_to_cart A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=add_to_cart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-7409 Apr 29, 2026
SQLi in Pizzafy 1.0 save_user AJAX (remote) A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
CVE-2026-7408 Apr 29, 2026
SourceCodester Pizzafy 1.0 SQLi in admin/ajax.php via save_menu A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
CVE-2026-7407 Apr 29, 2026
SQLi in SourceCodester Pizzafy Ecommerce 1.0 Setting Handler A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /pizzafy/admin/ajax.php?action=save_settings of the component Setting Handler. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2026-7401 Apr 29, 2026
XSS in SourceCodester CET AGAI 1.0 Registration (index.php?action=register) A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
CVE-2026-7394 Apr 29, 2026
SQLi via GET ID in Pizzafy Ecommerce 1.0 /admin/view_order.php A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVE-2026-7393 Apr 29, 2026
Pizzafy Ecommerce 1.0 Unrestricted File Upload via img in File Extension Handler A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2026-7392 Apr 29, 2026
SQLi in SourceCodester Pharmacy Sales 1.0 delete_supplier A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-7391 Apr 29, 2026
SQLi in SourceCodester Pharmacy Sales 1.0 via save_supplier (Remote) A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
CVE-2026-7390 Apr 29, 2026
XSS via Customer Name in SourceCodester Pharmacy Sales 1.0 A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
CVE-2026-7297 Apr 28, 2026
SourceCodester Pizzafy 1.0 XSS in save_user via Name A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-7296 Apr 28, 2026
SourceCodester Pizzafy 1.0 XSS in save_order via first_name A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
CVE-2026-7295 Apr 28, 2026
Pizzafy 1.0 XSS via /admin/ajax.php?action=save_menu Name A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-7294 Apr 28, 2026
SourceCodester Pizzafy 1.0 XSS via Name argument in save_settings A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
CVE-2026-7293 Apr 28, 2026
SQLi in Pizzafy E/C 1.0 delete_category endpoint A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function delete_category of the file /admin/ajax.php?action=delete_category. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
CVE-2026-7283 Apr 28, 2026
SQLi in SourceCodester Pharmacy Sales & Inventory System 1.0 via save_expired A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function save_expired of the file /ajax.php?action=save_expired. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
CVE-2026-7282 Apr 28, 2026
SourceCodester Pharmacy Sys 1.0 - SQLi in delete_expired() A vulnerability was identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function delete_expired of the file /ajax.php?action=delete_expired. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVE-2026-7281 Apr 28, 2026
SourceCodester Pharmacy Sales & Inventory System 1.0 XSS via supplier name input A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function supplier of the file /index.php?page=supplier. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVE-2026-7269 Apr 28, 2026
CVE-2026-7269: SourceCodester Pharmacy System 1.0 XSS via ID A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /index.php?page=product. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.