CVE-2026-2174
Published: 08 February 2026
Summary
CVE-2026-2174 is a medium-severity Improper Authentication (CWE-287) vulnerability in Fabian Contact Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2026-2174 is an improper authentication vulnerability (CWE-287) in code-projects Contact Management System 1.0, affecting an unknown part of the CRUD Endpoint component. The issue arises from manipulation of the ID argument, enabling remote attacks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-08T19:16:21.597.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and no user interaction needed, due to low attack complexity and network accessibility. Successful exploitation allows limited impacts, including low-level disruption to confidentiality, integrity, and availability.
Advisories and further details are available from VulDB at https://vuldb.com/?ctiid.344875, https://vuldb.com/?id.344875, and https://vuldb.com/?submit.749262, as well as the project site at https://code-projects.org/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5776
Vulnerability details
A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authentication (CWE-287) in public-facing CRUD endpoint of web app allows unauthenticated remote exploitation via ID manipulation, directly mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization decisions on the CRUD endpoint before permitting ID-based operations.
Requires identification and authentication of non-organizational users before allowing remote access to the contact management functions.
Establishes controls and authentication requirements for all remote access to the vulnerable endpoint.