CVE-2026-2161
Published: 08 February 2026
Summary
CVE-2026-2161 is a medium-severity Injection (CWE-74) vulnerability in Clive 21 Directory Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-2161 is a SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Directory Management System version 1.0. The flaw resides in an unknown functionality of the file /admin/forget-password.php, where manipulation of the "email" argument triggers the injection. Published on 2026-02-08, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is remotely exploitable.
Attackers require no privileges or user interaction and can exploit it over the network with low complexity. Successful exploitation enables low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service via injected SQL queries. An exploit has been made public, increasing the risk for exposed instances.
Advisories are documented in VulDB entries (ctiid.344863, id.344863, submit.751082) and a GitHub issue at github.com/Wzl731/test/issues/1, along with the vendor site itsourcecode.com. No specific patches or mitigations are detailed in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5788
Vulnerability details
A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit…
more
has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via SQL injection in a PHP script, matching T1190 exactly with no auth or interaction required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the email input parameter in forget-password.php to reject SQL syntax and thereby block the injection described in CVE-2026-2161.
Boundary-protection mechanisms such as a WAF can inspect and drop HTTP requests containing SQL metacharacters targeting /admin/forget-password.php before they reach the vulnerable code.
Continuous monitoring of application and database logs can identify anomalous SQL syntax or error patterns originating from the email field, enabling detection of exploitation attempts.