CVE-2026-5829
Published: 09 April 2026
Summary
CVE-2026-5829 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5829 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple IT Discussion Forum version 1.0. The affected component is an unknown function within the file /pages/content.php, where manipulation of the post_id argument triggers the injection.
Remote attackers require no privileges (PR:N) and can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.3 (C:L/I:L/A:L/S:U). Successful exploitation allows limited impacts on confidentiality, integrity, and availability.
Advisories and details are available in references such as VulDB entries (vuldb.com/vuln/356276), a GitHub issue (github.com/lonelyuan/vunls/issues/6), and the project site (code-projects.org). The exploit has been publicly disclosed and may be utilized.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20823
Vulnerability details
A vulnerability was determined in code-projects Simple IT Discussion Forum 1.0. The impacted element is an unknown function of the file /pages/content.php. This manipulation of the argument post_id causes sql injection. Remote exploitation of the attack is possible. The exploit…
more
has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a public-facing web application (forum) directly enables remote exploitation of the vulnerable endpoint without authentication, mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation and sanitization of the post_id input parameter to directly prevent SQL injection exploitation in /pages/content.php.
SI-2 requires timely remediation of the specific SQL injection flaw in Simple IT Discussion Forum 1.0 via patching or code correction.
SC-7 employs boundary protection such as web application firewalls to inspect and block malicious SQL injection payloads targeting the vulnerable post_id argument.