CVE-2026-4580
Published: 23 March 2026
Summary
CVE-2026-4580 is a high-severity Injection (CWE-74) vulnerability in Code-Projects Simple Laundry System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-4580 by requiring timely patching or code remediation of the SQL injection flaw in /checkupdatestatus.php.
Prevents SQL injection exploitation by validating and sanitizing the serviceId input parameter before database query construction.
Detects the SQL injection vulnerability in Simple Laundry System 1.0 through periodic vulnerability scanning of web applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web application (/checkupdatestatus.php) matches T1190 Exploit Public-Facing Application as the primary attack vector; limited C/I/A impacts do not clearly enable additional techniques such as command execution or credential dumping.
NVD Description
A security flaw has been discovered in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkupdatestatus.php of the component Parameters Handler. The manipulation of the argument serviceId results in sql injection. The attack can be…
more
executed remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-4580 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple Laundry System 1.0. It affects an unknown function in the file /checkupdatestatus.php within the Parameters Handler component, where manipulation of the serviceId argument enables SQL code injection.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity, no user interaction, and no privileges, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can lead to limited impacts on confidentiality, integrity, and availability.
Advisories provide further details via VulDB entries (ctiid.352417, id.352417, submit.775210), a GitHub issue at anon387tdug/anon388/issues/2, and the software page at code-projects.org/? The exploit has been publicly released, increasing potential for attacks.
Details
- CWE(s)