CVE-2026-5828
Published: 09 April 2026
Summary
CVE-2026-5828 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5828 is a SQL injection vulnerability affecting code-projects Simple IT Discussion Forum version 1.0. The flaw exists in an unknown function within the file /functions/addcomment.php, where manipulation of the postid argument enables SQL code injection. It is classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Exploitation via the postid parameter in addcomment.php allows attackers to inject malicious SQL, potentially resulting in limited impacts to confidentiality, integrity, and availability.
Advisories and additional details are documented in references such as VulDB entries (vuln/356275 and related CTI/submit pages), a GitHub issue at lonelyuan/vunls/issues/7, and the code-projects.org site. The exploit has been made public and could be used.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20821
Vulnerability details
A vulnerability was found in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /functions/addcomment.php. The manipulation of the argument postid results in sql injection. The attack may be launched remotely. The exploit…
more
has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (addcomment.php) enables remote unauthenticated exploitation of internet-facing application for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the postid parameter in addcomment.php to block malicious SQL injection payloads.
Mandates timely patching or remediation of the SQL injection flaw in the Simple IT Discussion Forum application.
Restricts postid inputs to valid formats such as integers, preventing SQL injection via malformed arguments.