CVE-2026-5805
Published: 08 April 2026
Summary
CVE-2026-5805 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5805 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Easy Blog Site versions up to 1.0. The flaw affects an unknown function in the file /users/contact_us.php, where manipulation of the "Name" argument enables injection. Published on 2026-04-08, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via SQL queries. A public exploit is available and could be used in attacks.
Advisories and further details appear in references including the project site at https://code-projects.org/, a GitHub page documenting the SQL injection in the name parameter at https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Easy%20Blog%20Site%20PHP%20name%20Parameter.md, and VulDB entries at https://vuldb.com/?submit/787031, https://vuldb.com/?id=356243, and https://vuldb.com/?id=356243/cti. No specific patches or mitigations are mentioned in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20647
Vulnerability details
A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be…
more
launched remotely. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/users/contact_us.php) with no auth or interaction required enables remote exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates input validation at application interfaces, directly preventing SQL injection exploitation of the unvalidated 'Name' parameter in /users/contact_us.php.
SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing remediation of the SQL injection vulnerability in Easy Blog Site.
RA-5 employs vulnerability scanning to detect SQL injection flaws like CVE-2026-5805 in the contact_us.php file during regular assessments.