Cyber Posture

CVE-2026-4844

High

Published: 26 March 2026

Published
26 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0004 13.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4844 is a high-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates SQL injection by requiring validation of the Username input in /admin.php to prevent malicious SQL payloads from being executed.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the SQL injection flaw in the Admin Login Module, eliminating the vulnerability through patching.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables vulnerability scanning to identify the SQL injection issue in /admin.php, facilitating proactive remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in the unauthenticated admin login endpoint of an internet-facing web application directly enables remote exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was detected in code-projects Online Food Ordering System 1.0. This issue affects some unknown processing of the file /admin.php of the component Admin Login Module. The manipulation of the argument Username results in sql injection. The attack may…

more

be performed from remote. The exploit is now public and may be used.

Deeper analysisAI

CVE-2026-4844 is a SQL injection vulnerability (CWE-74, CWE-89) in the code-projects Online Food Ordering System 1.0. The issue resides in the /admin.php file of the Admin Login Module, where manipulation of the Username argument enables SQL injection.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability.

Advisories and further details are available via VulDB entries (https://vuldb.com/?ctiid.353149, https://vuldb.com/?id.353149, https://vuldb.com/?submit.776137) and the project site (https://code-projects.org/). A public exploit is available at https://gist.github.com/HxH404/8e5bd42c0f968a92a23edc5e7b879955.

The exploit's public availability heightens the risk of real-world exploitation against exposed instances of the affected software.

Details

CWE(s)
CWE-74CWE-89

Affected Products

Code Projects
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-0698Shared CWE-74, CWE-89
CVE-2026-3790Shared CWE-74, CWE-89
CVE-2026-5813Shared CWE-74, CWE-89
CVE-2026-3406Shared CWE-74, CWE-89
CVE-2026-3151Shared CWE-74, CWE-89
CVE-2025-1809Shared CWE-74, CWE-89
CVE-2025-1464Shared CWE-74, CWE-89
CVE-2026-6189Shared CWE-74, CWE-89
CVE-2025-2088Shared CWE-74, CWE-89
CVE-2025-2679Shared CWE-74, CWE-89

References