Cyber Resilience

CVE-2026-2176

Medium

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2176 is a medium-severity Injection (CWE-74) vulnerability in Fabian Contact Management System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2176 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Contact Management System 1.0. The issue affects unknown processing logic in the index.py file, where manipulation of the selecteditem[0] argument enables SQL code injection. The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability without requiring user interaction. Exploitation over the network allows limited impacts, including partial disclosure of confidential information, limited data modification, and limited denial-of-service effects through resource consumption.

Mitigation details are referenced in advisories from VulDB (https://vuldb.com/?ctiid.344877, https://vuldb.com/?id.344877, https://vuldb.com/?submit.749264) and the project site (https://code-projects.org/), though specific patch information is not detailed in available disclosures.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application directly enables exploitation of public-facing apps (T1190) for limited data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2174Same product: Fabian Contact Management System
CVE-2026-0851Same vendor: Fabian
CVE-2026-2060Same vendor: Fabian
CVE-2025-7186Same vendor: Fabian
CVE-2026-2197Same vendor: Fabian
CVE-2025-7189Same vendor: Fabian
CVE-2026-0592Same vendor: Fabian
CVE-2026-0607Same vendor: Fabian
CVE-2026-0568Same vendor: Fabian
CVE-2026-1533Same vendor: Fabian

Affected Assets

fabian
contact management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the selecteditem[0] argument in index.py to reject SQL injection payloads before they reach the database.

prevent

Mandates timely remediation of the identified SQL injection flaw in Contact Management System 1.0 to eliminate the vulnerable code path.

detect

Enables monitoring and analysis of application inputs and database queries to identify anomalous SQL statements originating from the index.py endpoint.

References