Vulnerabilities ›

CVE-2026-2865

High ⚡ Exploit Available

A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler.

CWE-74 — Weakness Type

                    Published: Feb 21, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.

🤖 AI Executive Summary

A critical SQL injection vulnerability exists in Agri-Trading Online Shopping System 1.0 affecting the admin/productcontroller.php component. The vulnerability allows remote attackers to manipulate the 'Product' parameter via HTTP POST requests to execute arbitrary SQL commands. With a CVSS score of 7.3 and publicly available exploits, this poses an immediate threat to organizations using this system for e-commerce operations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 5, 2026 19:32

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi agricultural e-commerce platforms, small-to-medium enterprises (SMEs) in the agri-business sector, and government agricultural trading portals. At-risk sectors include: (1) Ministry of Environment, Water and Agriculture (MEWA) digital platforms, (2) Private agricultural trading companies and cooperatives, (3) Food security and supply chain management systems, (4) Agricultural export/import platforms. The SQL injection could lead to unauthorized access to product databases, customer information theft, financial transaction manipulation, and supply chain disruption affecting Saudi Arabia's food security initiatives.

🏢 Affected Saudi Sectors

Agriculture and Food Security E-commerce and Retail Government (MEWA) Supply Chain Management Small and Medium Enterprises (SMEs)

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1213 - Data from Information Repositories T1040 - Network Sniffing T1110 - Brute Force T1021 - Remote Services

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of Agri-Trading Online Shopping System 1.0 in your environment

2. Isolate affected systems from production networks if critical patches cannot be applied immediately

3. Enable Web Application Firewall (WAF) rules to block SQL injection patterns in POST requests to admin/productcontroller.php

4. Review access logs for suspicious POST requests containing SQL keywords (UNION, SELECT, DROP, etc.)



PATCHING:

1. Apply the latest security patch from itsourcecode immediately

2. If patching is delayed, implement input validation on the 'Product' parameter using parameterized queries

3. Upgrade to a patched version or migrate to an alternative secure e-commerce platform



COMPENSATING CONTROLS:

1. Implement strict input validation: whitelist allowed characters for Product parameter

2. Use prepared statements and parameterized queries for all database operations

3. Apply principle of least privilege to database accounts used by the application

4. Enable SQL query logging and monitoring for anomalous patterns

5. Implement rate limiting on admin/productcontroller.php endpoints



DETECTION:

1. Monitor for POST requests containing: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, EXEC, SCRIPT in Product parameter

2. Alert on multiple failed database connection attempts

3. Track unusual database query execution patterns

4. Implement IDS/IPS signatures for SQL injection in HTTP POST bodies

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نسخ نظام Agri-Trading Online Shopping System 1.0 في بيئتك

2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إذا لم يكن بالإمكان تطبيق التصحيحات الحرجة فوراً

3. تفعيل قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في طلبات POST إلى admin/productcontroller.php

4. مراجعة سجلات الوصول للطلبات المريبة التي تحتوي على كلمات SQL الرئيسية

تطبيق التصحيحات:

1. تطبيق أحدث تصحيح أمني من itsourcecode فوراً

2. إذا تأخر التصحيح، قم بتنفيذ التحقق من صحة المدخلات على معامل 'Product' باستخدام الاستعلامات المعاملة

3. الترقية إلى نسخة محمية أو الهجرة إلى منصة تجارة إلكترونية آمنة بديلة

الضوابط البديلة:

1. تنفيذ التحقق الصارم من المدخلات: قائمة بيضاء للأحرف المسموحة لمعامل Product

2. استخدام الاستعلامات المعاملة والاستعلامات المحددة مسبقاً لجميع عمليات قاعدة البيانات

3. تطبيق مبدأ أقل صلاحية على حسابات قاعدة البيانات المستخدمة من قبل التطبيق

4. تفعيل تسجيل وتراقبة استعلامات SQL للأنماط الشاذة

5. تنفيذ تحديد معدل على نقاط نهاية admin/productcontroller.php

الكشف:

1. مراقبة طلبات POST التي تحتوي على: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, EXEC, SCRIPT في معامل Product

2. التنبيه على محاولات الاتصال بقاعدة البيانات الفاشلة المتعددة

3. تتبع أنماط تنفيذ استعلامات قاعدة البيانات غير العادية

4. تنفيذ توقيعات IDS/IPS لحقن SQL في أجسام HTTP POST

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Secure development policy and procedures ECC 2024 A.14.2.5 - Security testing in development and acceptance ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Input validation and output encoding

🔵 SAMA CSF

SAMA CSF ID.BE-3.1 - Vulnerability management processes SAMA CSF PR.DS-6 - Data input and output integrity SAMA CSF DE.CM-4 - Malicious code detection SAMA CSF RS.MI-2 - Incident response and recovery

🟡 ISO 27001:2022

ISO 27001:2022 A.8.1 - Asset management ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.14.2.5 - Secure development testing ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 11.2 - Vulnerability scanning

🔗 References & Sources 5

🔗

https://github.com/wan1yan/cve/issues/3

cna@vuldb.com

Exploit Issue Tracking Mitigation Third Party Advisory

🔗

https://itsourcecode.com/

cna@vuldb.com

Product

🔗

https://vuldb.com/?ctiid.347104

cna@vuldb.com

Permissions Required VDB Entry

🔗

https://vuldb.com/?id.347104

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/?submit.754556

cna@vuldb.com

Third Party Advisory VDB Entry

📦 Affected Products / CPE 1 entries

adonesevangelista:agri-trading_online_shopping_system:1.0

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-74

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-02-21

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-2865

💬 Comments

Introduce Yourself

Sign In Required