Cyber Resilience

CVE-2026-5637

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 12.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5637 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5637 is a SQL injection vulnerability in projectworlds Car Rental System 1.0, affecting unknown code within the /message_admin.php file of the Parameter Handler component. The issue arises from improper handling of the "Message" argument, allowing malicious input to manipulate database queries. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on April 6, 2026.

The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as extracting sensitive data, modifying records, or disrupting service through injected SQL payloads targeting the Message parameter.

Advisories on VulDB (vuln/355425) and a GitHub repository (eqiya17/collection-of-vulnerabilities/issues/13) document the issue, noting that the exploit has been publicly disclosed and is available for use. No specific patches or mitigation steps are detailed in the provided references.

The public disclosure of the exploit increases the risk of real-world attacks against unpatched instances of the Car Rental System.

EU & UK References

Vulnerability details

A security vulnerability has been detected in projectworlds Car Rental System 1.0. This vulnerability affects unknown code of the file /message_admin.php of the component Parameter Handler. Such manipulation of the argument Message leads to sql injection. The attack may be…

more

launched remotely. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web app directly enables T1190 for remote unauthenticated initial access; facilitates T1213.006 by allowing arbitrary database query manipulation for data extraction/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0336Shared CWE-74, CWE-89
CVE-2025-2624Shared CWE-74, CWE-89
CVE-2026-4289Shared CWE-74, CWE-89
CVE-2025-0949Shared CWE-74, CWE-89
CVE-2025-0943Shared CWE-74, CWE-89
CVE-2026-7060Shared CWE-74, CWE-89
CVE-2025-0210Shared CWE-74, CWE-89
CVE-2025-7172Shared CWE-74, CWE-89
CVE-2025-2387Shared CWE-74, CWE-89
CVE-2026-3042Shared CWE-74, CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation and sanitization of the Message parameter in /message_admin.php to prevent SQL injection exploitation.

prevent

Mandates timely identification, reporting, and remediation of the specific SQL injection flaw in the Car Rental System.

preventdetect

Requires vulnerability scanning to detect the publicly disclosed SQL injection vulnerability and initiate remediation.

References