CVE-2026-5645
Published: 06 April 2026
Summary
CVE-2026-5645 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5645 is a SQL injection vulnerability (CWE-74, CWE-89) affecting projectworlds Car Rental System 1.0. The flaw resides in an unknown functionality of the file /pay.php within the Parameter Handler component, where manipulation of the 'mpesa' argument enables injection of malicious SQL code. Published on 2026-04-06, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoint. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as extracting sensitive data, modifying database contents, or disrupting service. An exploit has been made publicly available, increasing the risk of real-world attacks.
Advisories and details are documented in references including a GitHub issue at https://github.com/2840364044/SQL-Vulnerability-database/issues/1 and VulDB entries at https://vuldb.com/submit/786149, https://vuldb.com/vuln/355433, and https://vuldb.com/vuln/355433/cti. No specific patches or mitigations are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19221
Vulnerability details
A weakness has been identified in projectworlds Car Rental System 1.0. Affected by this vulnerability is an unknown functionality of the file /pay.php of the component Parameter Handler. Executing a manipulation of the argument mpesa can lead to sql injection.…
more
The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public web endpoint (/pay.php) directly enables remote exploitation of the application per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by enforcing validation of the untrusted 'mpesa' parameter in /pay.php before database queries.
Requires identification and remediation of the specific SQL injection flaw in the Car Rental System's Parameter Handler.
Boundary protection mechanisms inspect and filter inbound requests to block SQL injection attempts targeting /pay.php.