CVE-2026-8128: SourceCodester SUP Online Shopping SQLi Exposed
The National Vulnerability Database has disclosed CVE-2026-8128, a high-severity SQL injection vulnerability in SourceCodester SUP Online Shopping 1.0. This flaw, found in the /admin/viewmsg.php file, specifically within an unknown function handling the msgid argument, allows for remote exploitation. Attackers can manipulate this argument to execute arbitrary SQL queries.
The CVSSv3.1 score for CVE-2026-8128 is 7.3 (HIGH), indicating a significant risk. Crucially, the exploit code for this vulnerability has been publicly released, meaning the window for proactive patching is closing rapidly. Any organization running SourceCodester SUP Online Shopping 1.0 is directly exposed to data theft, unauthorized access, and potential system compromise.
This is a classic SQL injection, falling under CWE-74 (Improper Neutralization of Special Elements in SQL Command) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)). The public availability of the exploit drastically lowers the bar for attackers. Defenders need to assume active exploitation is imminent, if not already underway.
What This Means For You
- If your organization uses SourceCodester SUP Online Shopping 1.0, you are directly vulnerable to CVE-2026-8128. Immediately identify all instances of this application, take them offline, and apply any available patches or implement strong input validation and parameterized queries as a temporary mitigation. Audit your logs for any suspicious activity targeting `/admin/viewmsg.php`.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8128: SourceCodester SUP Online Shopping SQL Injection via viewmsg.php
title: CVE-2026-8128: SourceCodester SUP Online Shopping SQL Injection via viewmsg.php
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
Detects SQL injection attempts targeting SourceCodester SUP Online Shopping 1.0 by looking for requests to /admin/viewmsg.php with a 'msgid' parameter containing common SQL injection keywords like UNION, SELECT, and FROM. This is the primary detection for the CVE-2026-8128 vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8128/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/admin/viewmsg.php'
cs-uri-query|contains:
- 'msgid='
cs-uri-query|contains:
- 'UNION'
cs-uri-query|contains:
- 'SELECT'
cs-uri-query|contains:
- 'FROM'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8128 | SQLi | SourceCodester SUP Online Shopping 1.0 |
| CVE-2026-8128 | SQLi | Vulnerable file: /admin/viewmsg.php |
| CVE-2026-8128 | SQLi | Vulnerable parameter: msgid |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8133: zyx0814 FilePress SQL Injection Exploited
CVE-2026-8133 — A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file...
CodeAstro Leave Management System SQLi (CVE-2026-8132)
CVE-2026-8132 — A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of...
CVE-2026-8131: SourceCodester SUP Online Shopping SQL Injection
CVE-2026-8131 — A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation...