Cyber Resilience

CVE-2026-3757

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3757 is a medium-severity Injection (CWE-74) vulnerability in Projectworlds Online Art Gallery Shop. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3757 is a SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Online Art Gallery Shop 1.0. The issue affects an unknown functionality exposed via the /?pass=1 file or endpoint, where manipulation of the 'fnm' argument triggers the injection. Published on 2026-03-08, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.

Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction. By crafting malicious input for the 'fnm' parameter, attackers may execute arbitrary SQL queries, potentially leading to low-level impacts on confidentiality (e.g., data exposure), integrity (e.g., data alteration), and availability (e.g., denial of service). An exploit for this vulnerability has been publicly released, increasing the risk of widespread attacks against exposed instances.

Advisories and further details are available in the referenced sources, including a GitHub issue at https://github.com/hmkunlun/projectworldcve/issues/1 and VulDB entries at https://vuldb.com/?ctiid.349735, https://vuldb.com/?id.349735, and https://vuldb.com/?submit.768057. No specific patches or mitigations are detailed in the initial disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched…

more

remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a publicly exposed web application endpoint directly enables remote exploitation of a public-facing app (T1190) with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3406Same product: Projectworlds Online Art Gallery Shop
CVE-2026-3759Same product: Projectworlds Online Art Gallery Shop
CVE-2026-3758Same product: Projectworlds Online Art Gallery Shop
CVE-2026-2136Same vendor: Projectworlds
CVE-2026-5368Same vendor: Projectworlds
CVE-2025-1962Same vendor: Projectworlds
CVE-2025-2067Same vendor: Projectworlds
CVE-2024-57328Same vendor: Projectworlds
CVE-2025-2659Same vendor: Projectworlds
CVE-2025-1965Same vendor: Projectworlds

Affected Assets

projectworlds
online art gallery shop
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'fnm' input parameter to block crafted SQL payloads before they reach the database.

prevent

Enforces that only authorized queries and data accesses are permitted, limiting the ability of an unauthenticated remote attacker to execute arbitrary SQL.

detect

Enables monitoring and analysis of application inputs and database queries to identify anomalous patterns indicative of SQL injection attempts.

References