Cyber Resilience

CVE-2026-26892

HighPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26892 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Simple Logistic Hub Parcel\'S Management System. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26892 is an SQL injection vulnerability (CWE-89) in Sourcecodester Logistic Hub Parcel's Management System version 1.0, specifically affecting the /manage_carrier.php component. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue that could compromise the application's database integrity.

The vulnerability can be exploited over the network by an authenticated user with high privileges (PR:H), requiring low attack complexity and no user interaction. Attackers can inject malicious SQL queries, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion within the database.

A bug report detailing the vulnerability is available at https://github.com/shininadd/bug_report/blob/main/Sourcecodester/simple-logistic-hub-parcels-management-system/SQL-2.md. No specific patches or mitigation steps are outlined in the provided references.

EU & UK References

Vulnerability details

Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely exploitable web application component directly enables initial access by exploiting a public-facing (or network-accessible) application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26705Same vendor: Oretnom23
CVE-2026-30529Same vendor: Oretnom23
CVE-2026-30532Same vendor: Oretnom23
CVE-2026-26707Same vendor: Oretnom23
CVE-2026-30530Same vendor: Oretnom23
CVE-2026-26706Same vendor: Oretnom23
CVE-2026-30533Same vendor: Oretnom23
CVE-2026-30531Same vendor: Oretnom23
CVE-2026-3746Same vendor: Oretnom23
CVE-2026-26708Same vendor: Oretnom23

Affected Assets

oretnom23
simple logistic hub parcel\'s management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs to /manage_carrier.php, blocking the malicious SQL payloads that constitute this CWE-89 vulnerability.

prevent

Restricts the high-privilege (PR:H) accounts that can reach the vulnerable manage_carrier.php endpoint, reducing the population able to exploit the injection.

prevent

Mandates timely remediation of the known SQL-injection flaw in the deployed Sourcecodester application before exploitation occurs.

References