CVE Alert: CVE-2025-10436 – Campcodes – Computer Sales and Inventory System
CVE-2025-10436
A weakness has been identified in Campcodes Computer Sales and Inventory System 1.0. The impacted element is an unknown function of the file /pages/sup_searchfrm.php?action=edit. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
Exploitation is feasible with a publicly available PoC and can be automated, making this a high-priority remote SQL injection risk.
Why this matters
Remote, unauthenticated access to the vulnerable web form can expose or corrupt inventory data and customer records, with potential data leakage and partial database compromise. For organisations running the Campcodes system publicly, an attacker could automate discovery and data extraction, risking regulatory exposure and reputational damage.
Most likely attack path
Attackers reach a publicly reachable instance, send crafted parameters to the sup_searchfrm.php?action=edit endpoint, and trigger SQL injection without user interaction. The vulnerability grants network access with no privileges needed and allows partial impact to confidentiality, integrity and availability, enabling data exfiltration or manipulation. Public PoC availability suggests rapid exploitation could scale across multiple deployments.
Who is most exposed
Typical exposure is for SMBs using this PHP-based inventory system with internet-facing admin or search interfaces; deployments on shared hosting or exposed servers amplify risk.
Detection ideas
- Unusual or error-prone SQL responses in web app logs.
- spikes or patterns of requests to sup_searchfrm.php?action=edit with suspicious ID values.
- SQL error messages or database fingerprinting in responses.
- WAF/IDS alerts for SQLi payloads targeting the parameter.
- Correlated authentication/DB access anomalies around inventory operations.
Mitigation and prioritisation
- Apply vendor advisories and patches promptly; prioritise patching the affected module.
- Implement parameterised queries and input validation; disable or tightly constrain the edit action if feasible.
- Enforce least privilege for the web app’s database user; restrict network exposure to the app.
- Deploy WAF rules to detect and block typical SQLi payloads; monitor for exfiltration indicators.
- Change-management: plan a validated patch window with rollback and test in a staging environment.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
