CVE-2026-0597 identifies a SQL injection vulnerability in Campcodes Supplier Management System version 1.0, specifically in the /retailer/edit_profile.php endpoint. The vulnerability is triggered by manipulation of the txtRetailerAddress parameter, which is not properly sanitized or validated before being incorporated into SQL queries. This allows an attacker with low privileges to remotely inject arbitrary SQL commands without requiring user interaction. The flaw can be exploited to read, modify, or delete database records, potentially exposing sensitive supplier or retailer information or corrupting the database. The vulnerability does not require authentication but does require some level of access (low privileges), which suggests that attackers might need to be authenticated users or insiders. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploits have been observed in the wild, a proof-of-concept exploit has been published, increasing the likelihood of exploitation attempts. The lack of available patches or updates from the vendor at the time of publication increases the urgency for organizations to implement alternative mitigations.

The SQL injection vulnerability can have significant impacts on organizations using Campcodes Supplier Management System 1.0. Successful exploitation can lead to unauthorized disclosure of sensitive supplier and retailer data, modification or deletion of critical database records, and potential disruption of supplier management operations. This can compromise the confidentiality, integrity, and availability of the system and its data. Attackers could leverage the vulnerability to escalate privileges, pivot within the network, or conduct further attacks such as data exfiltration or ransomware deployment. The supply chain nature of the affected system means that disruptions could cascade, affecting procurement, inventory management, and vendor relations. Organizations relying on this system may face operational downtime, financial losses, regulatory penalties, and reputational damage if exploited.

Organizations should immediately assess their exposure to Campcodes Supplier Management System version 1.0 and prioritize remediation. Since no official patches are currently available, practical mitigations include: 1) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the txtRetailerAddress parameter. 2) Applying strict input validation and sanitization at the application or proxy level to reject malicious input patterns. 3) Restricting access to the /retailer/edit_profile.php endpoint to trusted users or IP addresses where possible. 4) Monitoring logs for unusual database query patterns or repeated failed attempts to exploit the vulnerability. 5) Conducting thorough code reviews and refactoring the affected code to use parameterized queries or prepared statements to eliminate SQL injection risks. 6) Planning for an upgrade or replacement of the vulnerable system with a secure version once available. 7) Educating internal users about the risks and signs of exploitation attempts. These measures can reduce the attack surface and limit the potential damage until an official patch is released.