CVE-2026-26892

HighPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26892 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Simple Logistic Hub Parcel\'S Management System. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SI-10 Information Input Validation

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in a remotely exploitable web application component directly enables initial access by exploiting a public-facing (or network-accessible) application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php.

Deeper analysisAI

CVE-2026-26892 is an SQL injection vulnerability (CWE-89) in Sourcecodester Logistic Hub Parcel's Management System version 1.0, specifically affecting the /manage_carrier.php component. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue that could compromise the application's database integrity.

The vulnerability can be exploited over the network by an authenticated user with high privileges (PR:H), requiring low attack complexity and no user interaction. Attackers can inject malicious SQL queries, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion within the database.

A bug report detailing the vulnerability is available at https://github.com/shininadd/bug_report/blob/main/Sourcecodester/simple-logistic-hub-parcels-management-system/SQL-2.md. No specific patches or mitigation steps are outlined in the provided references.

Details

CWE(s): CWE-89

Affected Products

oretnom23

simple logistic hub parcel\'s management system

1.0

CVEs Like This One

CVE-2026-30531Same vendor: Oretnom23

CVE-2026-30533Same vendor: Oretnom23

CVE-2026-30529Same vendor: Oretnom23

CVE-2026-26706Same vendor: Oretnom23

CVE-2026-30532Same vendor: Oretnom23

CVE-2026-26705Same vendor: Oretnom23

CVE-2026-30530Same vendor: Oretnom23

CVE-2026-26707Same vendor: Oretnom23

CVE-2026-2848Same vendor: Oretnom23

CVE-2026-26708Same vendor: Oretnom23

References

https://github.com/shininadd/bug_report/blob/main/Sourcecodester/simple-logistic-hub-parcels-management-system/SQL-2.md
Exploit, Third Party Advisory · cve@mitre.org