CVE-2026-5540
Published: 05 April 2026
Summary
CVE-2026-5540 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5540, published on 2026-04-05, is a SQL injection vulnerability in code-projects Simple Laundry System 1.0. It affects unknown code in the file /modifymember.php within the Parameter Handler component, where manipulation of the firstName argument triggers the issue (CWE-74, CWE-89). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers can exploit this vulnerability without authentication or user interaction, requiring only low attack complexity. Successful exploitation enables SQL injection, allowing limited impacts on confidentiality, integrity, and availability.
Advisories referenced in VulDB entries (e.g., https://vuldb.com/vuln/355293) and a GitHub issue (https://github.com/boyslikesports/vul-web/issues/4) document the flaw, with the exploit publicly disclosed and potentially usable. The project site (https://code-projects.org/) provides context on the affected software, but no specific patches or mitigations are detailed in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19030
Vulnerability details
A vulnerability has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modifymember.php of the component Parameter Handler. Such manipulation of the argument firstName leads to sql injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a web application directly enables initial access via exploitation of a public-facing app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of the firstName parameter content and form prior to processing, directly preventing SQL injection in /modifymember.php.
SI-2 mandates timely remediation of flaws like this SQL injection vulnerability through patching or code fixes.
RA-5 vulnerability scanning identifies SQL injection issues such as CVE-2026-5540 in the Parameter Handler component.