CVE-2026-26892
Published: 03 March 2026
Summary
CVE-2026-26892 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Simple Logistic Hub Parcel\'S Management System. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-26892 is an SQL injection vulnerability (CWE-89) in Sourcecodester Logistic Hub Parcel's Management System version 1.0, specifically affecting the /manage_carrier.php component. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue that could compromise the application's database integrity.
The vulnerability can be exploited over the network by an authenticated user with high privileges (PR:H), requiring low attack complexity and no user interaction. Attackers can inject malicious SQL queries, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion within the database.
A bug report detailing the vulnerability is available at https://github.com/shininadd/bug_report/blob/main/Sourcecodester/simple-logistic-hub-parcels-management-system/SQL-2.md. No specific patches or mitigation steps are outlined in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9309
Vulnerability details
Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely exploitable web application component directly enables initial access by exploiting a public-facing (or network-accessible) application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of inputs to /manage_carrier.php, blocking the malicious SQL payloads that constitute this CWE-89 vulnerability.
Restricts the high-privilege (PR:H) accounts that can reach the vulnerable manage_carrier.php endpoint, reducing the population able to exploit the injection.
Mandates timely remediation of the known SQL-injection flaw in the deployed Sourcecodester application before exploitation occurs.