CVE-2026-0597 is a SQL injection vulnerability identified in Campcodes Supplier Management System version 1.0, affecting the /retailer/edit_profile.php endpoint. The vulnerability is caused by insufficient input validation on the txtRetailerAddress parameter, which is directly used in SQL queries without proper sanitization or parameterization. This flaw allows remote attackers to craft malicious input that alters the intended SQL command, potentially enabling unauthorized data access, modification, or deletion within the backend database. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, and the low attack complexity. Although no active exploitation in the wild has been reported, a public exploit is available, increasing the likelihood of attacks. The affected product is primarily used for supplier management, which may contain sensitive business and supplier data. The lack of vendor patches or official mitigations at the time of disclosure necessitates immediate defensive measures by users. The vulnerability's exploitation could lead to unauthorized data disclosure, data tampering, or disruption of supplier management operations, impacting business continuity and trust.

For European organizations, the impact of CVE-2026-0597 can be significant, especially for those relying on Campcodes Supplier Management System 1.0 to manage supplier relationships and procurement processes. Successful exploitation could lead to unauthorized access to sensitive supplier data, including addresses, contact details, and contractual information, potentially resulting in data breaches and regulatory non-compliance under GDPR. Integrity violations could allow attackers to alter supplier profiles, causing operational disruptions, financial losses, or supply chain manipulation. Availability impacts may arise if attackers execute destructive SQL commands, leading to system downtime and business interruption. Given the interconnected nature of supply chains in Europe, such disruptions could cascade, affecting multiple organizations and sectors. The presence of a public exploit increases the risk of opportunistic attacks, particularly targeting organizations with weak perimeter defenses or lacking timely patching procedures.

To mitigate CVE-2026-0597, organizations should immediately implement input validation and sanitization on the txtRetailerAddress parameter, ensuring that all user-supplied data is properly escaped or handled using parameterized queries (prepared statements) to prevent SQL injection. Restrict database user permissions to the minimum necessary, avoiding use of high-privilege accounts for application database access. Monitor web application logs for suspicious input patterns indicative of injection attempts. If vendor patches become available, apply them promptly. In the absence of patches, consider deploying Web Application Firewalls (WAFs) with specific SQL injection detection rules targeting the vulnerable endpoint. Conduct thorough security assessments of the supplier management system and related infrastructure. Additionally, review and enhance incident response plans to quickly address potential exploitation events. Regularly train developers and administrators on secure coding and configuration practices to prevent similar vulnerabilities.