Cyber Posture

CVE-2026-2176

Medium

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0004 11.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2176 is a medium-severity Injection (CWE-74) vulnerability in Fabian Contact Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-10 Information Input Validation
addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in a remotely accessible web application directly enables exploitation of public-facing apps (T1190) for limited data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely.

Deeper analysisAI

CVE-2026-2176 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Contact Management System 1.0. The issue affects unknown processing logic in the index.py file, where manipulation of the selecteditem[0] argument enables SQL code injection. The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability without requiring user interaction. Exploitation over the network allows limited impacts, including partial disclosure of confidential information, limited data modification, and limited denial-of-service effects through resource consumption.

Mitigation details are referenced in advisories from VulDB (https://vuldb.com/?ctiid.344877, https://vuldb.com/?id.344877, https://vuldb.com/?submit.749264) and the project site (https://code-projects.org/), though specific patch information is not detailed in available disclosures.

Details

CWE(s)
CWE-74CWE-89

Affected Products

fabian
contact management system
1.0

CVEs Like This One

CVE-2026-2174Same product: Fabian Contact Management System
CVE-2025-0300Same vendor: Fabian
CVE-2026-1535Same vendor: Fabian
CVE-2025-7187Same vendor: Fabian
CVE-2026-0579Same vendor: Fabian
CVE-2026-0607Same vendor: Fabian
CVE-2026-0578Same vendor: Fabian
CVE-2026-1534Same vendor: Fabian
CVE-2026-0585Same vendor: Fabian
CVE-2026-0852Same vendor: Fabian

References