Cyber Resilience

CVE-2026-2865

MediumPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 25.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2865 is a medium-severity Injection (CWE-74) vulnerability in Adonesevangelista Agri-Trading Online Shopping System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-2865 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Agri-Trading Online Shopping System 1.0, published on 2026-02-21. It affects an unknown function in the file admin/productcontroller.php within the HTTP POST Request Handler component, where manipulation of the 'Product' argument triggers the issue.

The vulnerability is remotely exploitable by unauthenticated attackers requiring low complexity and no user interaction, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can result in low impacts to confidentiality, integrity, and availability. An exploit has been made public and could be used.

Advisories and details are documented on VulDB (ctiid.347104, id.347104, submit.754556), a GitHub issue (https://github.com/wan1yan/cve/issues/3), and the vendor site (https://itsourcecode.com/).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack…

more

may be initiated remotely. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated HTTP POST handler of public-facing web app (productcontroller.php) directly enables remote exploitation of the application per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7193Same product: Adonesevangelista Agri-Trading Online Shopping System
CVE-2026-1159Same vendor: Adonesevangelista
CVE-2026-4470Same vendor: Adonesevangelista
CVE-2026-4471Same vendor: Adonesevangelista
CVE-2026-4472Same vendor: Adonesevangelista
CVE-2026-4469Same vendor: Adonesevangelista
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89

Affected Assets

adonesevangelista
agri-trading online shopping system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'Product' input argument in productcontroller.php to block SQL injection payloads before they reach the database.

preventdetect

Boundary protection mechanisms such as a WAF can inspect and filter malicious HTTP POST requests targeting admin/productcontroller.php.

detect

System monitoring can identify anomalous SQL statements or error patterns generated by attempted exploitation of the Product parameter.

References