CVE-2026-6148
Published: 13 April 2026
Summary
CVE-2026-6148 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6148 is a SQL injection vulnerability affecting code-projects Vehicle Showroom Management System 1.0. The issue resides in an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php, where manipulation of the BRANCH_ID argument triggers the injection. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability enables remote exploitation without authentication or user interaction. An attacker can send crafted requests to the BRANCH_ID parameter, potentially leading to unauthorized access to database information (low confidentiality impact), modification of data (low integrity impact), or limited denial of service (low availability impact). A public exploit is available, increasing the risk of immediate abuse against exposed instances.
Advisories and additional details are available in the referenced sources, including code-projects.org, GitHub issue tracker at github.com/mrpgi/cve/issues/2, and VULDB entries at vuldb.com/submit/796280, vuldb.com/vuln/357028, and vuldb.com/vuln/357028/cti. Security practitioners should review these for any patch information or workarounds, as the vulnerability was published on 2026-04-13. The public exploit underscores the need for urgent patching or network segmentation of affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21774
Vulnerability details
A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCH_ID results in sql injection. The attack is possible to be…
more
carried out remotely. The exploit is now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing web application (PHP-based management system) directly enables remote unauthenticated exploitation of public-facing applications for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating untrusted inputs like the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php to block SQL injection manipulation.
Mandates timely identification, reporting, and correction of the specific SQL injection flaw in the Vehicle Showroom Management System.
Vulnerability scanning detects SQL injection issues like CVE-2026-6148 in web applications, enabling proactive remediation.