CVE-2026-5368
Published: 02 April 2026
Summary
CVE-2026-5368 is a high-severity Injection (CWE-74) vulnerability in Projectworlds Car Rental Project. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating the 'uname' parameter in /login.php against organization-defined criteria to ensure only valid inputs are processed.
Requires timely identification, reporting, and correction of the specific SQL injection flaw in the Parameter Handler component of the Car Rental Project.
Enforces restrictions on information inputs like the 'uname' argument at web application boundaries to limit injection payload types, sizes, and formats.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/login.php) directly enables T1190 Exploit Public-Facing Application for initial access and data manipulation.
NVD Description
A vulnerability was determined in projectworlds Car Rental Project 1.0. The affected element is an unknown function of the file /login.php of the component Parameter Handler. This manipulation of the argument uname causes sql injection. Remote exploitation of the attack…
more
is possible. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-5368 is a SQL injection vulnerability (CWE-74, CWE-89) in the projectworlds Car Rental Project version 1.0. The issue affects an unknown function within the /login.php file of the Parameter Handler component, where manipulation of the "uname" argument enables injection. The vulnerability was published on 2026-04-02 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as High severity.
Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via SQL injection. The exploit has been publicly disclosed and is available for utilization.
Advisories referenced in VulDB entries (vuldb.com/vuln/354746 and related pages) and a GitHub issue (github.com/eqiya17/collection-of-vulnerabilities/issues/5) document the vulnerability details and public exploit, but no specific patches or mitigation steps are outlined in the available information. Security practitioners should review these sources for updates and consider input validation or upgrading the affected application.
Details
- CWE(s)