CVE-2026-4581
Published: 23 March 2026
Summary
CVE-2026-4581 is a high-severity Injection (CWE-74) vulnerability in Code-Projects Simple Laundry System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by validating and sanitizing the Username parameter in /checklogin.php before inclusion in SQL queries.
SI-2 ensures timely patching or code remediation of the identified SQL injection flaw in Simple Laundry System 1.0.
RA-5 vulnerability scanning detects SQL injection vulnerabilities like CVE-2026-4581 in web applications such as the Parameters Handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a public-facing web application (checklogin.php) directly enables initial access via exploitation of an internet-facing app, matching T1190 exactly as described in ATT&CK for SQLi and similar web flaws.
NVD Description
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be…
more
carried out remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-4581 is a SQL injection vulnerability in code-projects Simple Laundry System 1.0, affecting an unknown function in the file /checklogin.php within the Parameters Handler component. The issue arises from improper handling of the Username argument, enabling injection attacks. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2026-03-23.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction or privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads in the login process.
Advisories and details are available through references including the vendor site at code-projects.org, a GitHub issue at github.com/anon387tdug/anon388/issues/1, and VulDB entries at vuldb.com/?submit.775211, vuldb.com/?vuln.352418, and vuldb.com/?vuln.352418/?cti, though specific patch or mitigation guidance is not detailed in the initial disclosure.
A public exploit is available, increasing the risk of real-world attacks against exposed instances of Simple Laundry System 1.0.
Details
- CWE(s)