CVE-2026-5637
Published: 06 April 2026
Summary
CVE-2026-5637 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5637 is a SQL injection vulnerability in projectworlds Car Rental System 1.0, affecting unknown code within the /message_admin.php file of the Parameter Handler component. The issue arises from improper handling of the "Message" argument, allowing malicious input to manipulate database queries. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on April 6, 2026.
The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as extracting sensitive data, modifying records, or disrupting service through injected SQL payloads targeting the Message parameter.
Advisories on VulDB (vuln/355425) and a GitHub repository (eqiya17/collection-of-vulnerabilities/issues/13) document the issue, noting that the exploit has been publicly disclosed and is available for use. No specific patches or mitigation steps are detailed in the provided references.
The public disclosure of the exploit increases the risk of real-world attacks against unpatched instances of the Car Rental System.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19203
Vulnerability details
A security vulnerability has been detected in projectworlds Car Rental System 1.0. This vulnerability affects unknown code of the file /message_admin.php of the component Parameter Handler. Such manipulation of the argument Message leads to sql injection. The attack may be…
more
launched remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app directly enables T1190 for remote unauthenticated initial access; facilitates T1213.006 by allowing arbitrary database query manipulation for data extraction/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation and sanitization of the Message parameter in /message_admin.php to prevent SQL injection exploitation.
Mandates timely identification, reporting, and remediation of the specific SQL injection flaw in the Car Rental System.
Requires vulnerability scanning to detect the publicly disclosed SQL injection vulnerability and initiate remediation.