SourceCodester SUP Online Shopping SQL Injection (CVE-2026-8129)
A high-severity SQL injection vulnerability, tracked as CVE-2026-8129, has been identified in SourceCodester SUP Online Shopping version 1.0. According to the National Vulnerability Database, the flaw resides in an unspecified function within the wishlist.php file. Remote attackers can exploit this by manipulating the delwlistid argument, leading to potential data compromise.
The CVSSv3.1 score for this vulnerability is 7.3 (High), indicating a significant risk. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. This means it’s a straightforward remote exploit. The National Vulnerability Database states that exploit details have been publicly disclosed, raising the urgency for remediation.
For defenders, this is a critical remote code execution vector. Any organization running SourceCodester SUP Online Shopping 1.0 is directly exposed. The public disclosure of exploit code means opportunistic attackers are likely already scanning for vulnerable instances. Patching or applying vendor-provided mitigations immediately is non-negotiable.
What This Means For You
- If your organization uses SourceCodester SUP Online Shopping 1.0, you are directly exposed to CVE-2026-8129. This is a severe SQL injection vulnerability with publicly available exploit details. Immediately identify all instances of this application, take them offline if patching isn't instant, and apply any available vendor updates or workarounds.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
SQL Injection in SourceCodester SUP Online Shopping wishlist.php - CVE-2026-8129
title: SQL Injection in SourceCodester SUP Online Shopping wishlist.php - CVE-2026-8129
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the SQL injection vulnerability (CVE-2026-8129) in SourceCodester SUP Online Shopping 1.0. The rule specifically looks for requests to 'wishlist.php' containing the 'delwlistid' parameter with common SQL injection payloads, indicating an attempt to manipulate the database.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8129/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/wishlist.php'
cs-uri-query|contains:
- 'delwlistid'
cs-uri-query|contains:
- "' OR 1=1--"
- "' UNION SELECT"
- "' OR SLEEP("
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8129 | SQLi | SourceCodester SUP Online Shopping 1.0 |
| CVE-2026-8129 | SQLi | wishlist.php |
| CVE-2026-8129 | SQLi | argument delwlistid |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...