Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WebIncorp ERP: Unauthenticated SQL Injection via prod_id Parameter
CVE-2019-25440
Summary
An attacker can extract sensitive data from WebIncorp ERP's database by sending malicious requests to the product_detail.php page. This can happen if an attacker knows the prod_id value, but doesn't need to be logged in. To fix this, update the product_detail.php page to validate and sanitize the prod_id parameter to prevent SQL injection attacks.
Original title
WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GE...
Original description
WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026