Beauty Parlour SQLi reads database (CVE-2026-37431)

Patch now - CVE-2026-37431 is a critical SQL injection vulnerability in Beauty Parlour Management System v1.1 that lets unauthenticated attackers extract the entire database via a crafted aptnumber parameter. No vendor patch is available; follow the mitigation steps below.

Overview

CVE-2026-37431 is an unauthenticated SQL injection vulnerability found in the /appointment-detail.php endpoint of Beauty Parlour Management System version 1.1. The aptnumber GET parameter is not sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands.

Because the application processes user-supplied input directly in database queries without parameterized statements, an attacker can manipulate the query logic to extract, modify, or delete data. This vulnerability has a CVSS score of 9.8 (CRITICAL) due to the low attack complexity, no required privileges, and no user interaction.

Impact

An unauthenticated attacker can exploit this vulnerability to:

• Read all records from connected database tables, including user credentials, appointment details, customer PII, and administrative data.
• Potentially extract password hashes or plaintext credentials, leading to account compromise.
• Escalate access by retrieving session tokens or administrative secrets stored in the database.

The attacker does not need to be logged in or have any prior access to the system. A single crafted HTTP request to the vulnerable endpoint can exfiltrate large volumes of sensitive data.

Remediation

As of this writing, there is no official patch for Beauty Parlour Management System v1.1. The vendor has not released a fix. Take the following immediate actions:

1. Apply a Web Application Firewall (WAF) - Configure rules to block SQL injection patterns in the aptnumber parameter on /appointment-detail.php.
2. Input validation - Add server-side validation to ensure the aptnumber parameter accepts only integers or pre-approved values.
3. Use parameterized queries - Replace dynamic SQL construction with prepared statements or stored procedures.
4. Restrict network access - If possible, limit access to the application to trusted IP ranges using firewall rules or VPN.
5. Monitor logs - Review web server logs for unusual SQL error messages or abnormally long aptnumber values.

Organizations that cannot immediately apply code changes should treat the application as compromised until proper sanitization is implemented.

Security Insight

This vulnerability highlights a persistent problem in small-to-medium business software: SQL injection remains the most common flaw in PHP applications built without modern frameworks. Despite decades of awareness, applications like Beauty Parlour Management System continue to concatenate user input directly into SQL queries. The lack of a vendor response suggests that many such projects are abandoned after initial release, leaving users with no upgrade path. Organizations should consider replacing unsupported software with actively maintained alternatives or conducting a security audit before deploying any custom web application.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs