Cyber Resilience

CVE-2026-3135

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 25.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3135 is a medium-severity Injection (CWE-74) vulnerability in Clive 21 News Portal Project. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-3135 is a SQL injection vulnerability affecting the itsourcecode News Portal Project version 1.0. The flaw exists in an unknown function within the file /admin/add-category.php, where manipulation of the Category argument triggers the injection. Published on 2026-02-25, it is classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without authentication, privileges, or user interaction. An attacker can send crafted requests to the affected endpoint, potentially reading limited sensitive data, modifying database contents modestly, or causing minor service disruptions.

Advisories documented on VulDB (ctiid.347630, id.347630, submit.758336) detail the issue, while a GitHub repository (910biter/cve/issues/2) hosts a public exploit. The vendor site itsourcecode.com is referenced, though no specific patches or mitigations are outlined in available details.

The public availability of the exploit heightens the risk for unpatched instances of this news portal software.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The…

more

exploit has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated web endpoint (/admin/add-category.php) directly enables remote exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3164Same product: Clive 21 News Portal Project
CVE-2026-3134Same product: Clive 21 News Portal Project
CVE-2026-2162Same product: Clive 21 News Portal Project
CVE-2026-2225Same product: Clive 21 News Portal Project
CVE-2026-2161Same vendor: Clive 21
CVE-2026-1688Same vendor: Clive 21
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89

Affected Assets

clive 21
news portal project
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input such as the Category parameter before it reaches SQL statements.

prevent

Boundary protection devices or WAF rules can inspect and block SQL injection payloads targeting /admin/add-category.php.

prevent

Requires timely remediation of the known SQL injection flaw in add-category.php once a patch or code fix is available.

References