CVE-2026-29861
Published: 10 April 2026
Summary
CVE-2026-29861 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29861, published on 2026-04-10, is a SQL injection vulnerability (CWE-89) affecting PHP-MYSQL-User-Login-System version 1.0. The flaw exists via the username parameter in the login.php file, allowing malicious SQL payloads to be injected and executed.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network by unauthenticated attackers with low complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion through arbitrary SQL command execution.
Mitigation details are available in the referenced advisory at https://github.com/amanyadav78/CVE-2026-29861.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21386
Vulnerability details
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing login.php page directly enables T1190 (Exploit Public-Facing Application) for initial access and arbitrary SQL execution impacting confidentiality/integrity/availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the username parameter in login.php to block malicious SQL injection payloads.
Mandates timely identification, reporting, and correction of the SQL injection flaw in the PHP-MySQL login system.
Enforces restrictions on username input such as length and allowed characters to mitigate SQL injection attempts.