CVE-2026-0701
Published: 08 January 2026
Summary
CVE-2026-0701 is a medium-severity Injection (CWE-74) vulnerability in Carmelo Intern Membership Management System. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-0701 is a SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Intern Membership Management System 1.0. The issue resides in an unknown functionality of the file /intern/admin/add_admin.php, where manipulation of the Username argument triggers the injection.
The vulnerability carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating low attack complexity over the network with no user interaction required but high privileges needed from the attacker. A successful remote exploit allows limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and references, including those on VulDB (ctiid.339978, id.339978, submit.733002) and the software site at code-projects.org, document the issue, while a public exploit is available on GitHub for the add_admin.php SQL injection. No specific patches or mitigations are detailed in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1583
Vulnerability details
A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried…
more
out remotely. The exploit is publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a web application (add_admin.php) matches T1190 Exploit Public-Facing Application; limited DB impacts do not map to additional techniques.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the Username argument in add_admin.php to reject SQL metacharacters and block the injection vector.
Limits the number of accounts granted the high privileges required to reach /intern/admin/add_admin.php, reducing the population that can trigger the SQLi.
Mandates timely remediation of the publicly disclosed SQL injection flaw in the add_admin.php code once a patch or code fix becomes available.