CVE-2026-3135
Published: 25 February 2026
Summary
CVE-2026-3135 is a medium-severity Injection (CWE-74) vulnerability in Clive 21 News Portal Project. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-3135 is a SQL injection vulnerability affecting the itsourcecode News Portal Project version 1.0. The flaw exists in an unknown function within the file /admin/add-category.php, where manipulation of the Category argument triggers the injection. Published on 2026-02-25, it is classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication, privileges, or user interaction. An attacker can send crafted requests to the affected endpoint, potentially reading limited sensitive data, modifying database contents modestly, or causing minor service disruptions.
Advisories documented on VulDB (ctiid.347630, id.347630, submit.758336) detail the issue, while a GitHub repository (910biter/cve/issues/2) hosts a public exploit. The vendor site itsourcecode.com is referenced, though no specific patches or mitigations are outlined in available details.
The public availability of the exploit heightens the risk for unpatched instances of this news portal software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8575
Vulnerability details
A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The…
more
exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated web endpoint (/admin/add-category.php) directly enables remote exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input such as the Category parameter before it reaches SQL statements.
Boundary protection devices or WAF rules can inspect and block SQL injection payloads targeting /admin/add-category.php.
Requires timely remediation of the known SQL injection flaw in add-category.php once a patch or code fix is available.