CVE-2026-6037
Published: 10 April 2026
Summary
CVE-2026-6037 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6037 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Vehicle Showroom Management System 1.0. It affects an unknown function within the file /util/AddVehicleFunction.php, where manipulation of the BRANCH_ID argument enables injection. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-10.
Remote attackers require no privileges or user interaction and face low complexity to exploit the issue. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via SQL injection. An exploit has been publicly disclosed and may be utilized.
Advisories and references, including those on vuldb.com (vuln/356618 and related CTI), a GitHub issue at github.com/TAnNbR/CVE/issues/4, and code-projects.org, document the vulnerability but do not specify patches or mitigations in the available details.
The exploit's public disclosure increases the risk of active utilization against unpatched instances of the affected software.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21350
Vulnerability details
A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit…
more
has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing web application (PHP-based management system) directly enables remote exploitation without authentication or user interaction, mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation mechanisms at application entry points to block SQL injection via the untrusted BRANCH_ID parameter in AddVehicleFunction.php.
Mandates timely identification, prioritization, and remediation of the specific SQL injection flaw in the Vehicle Showroom Management System.
Enforces restrictions on BRANCH_ID inputs such as format, length, or allowed values to mitigate injection attempts.