Cyber Resilience

CVE-2026-6148

Medium

Published: 13 April 2026

Published
13 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6148 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6148 is a SQL injection vulnerability affecting code-projects Vehicle Showroom Management System 1.0. The issue resides in an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php, where manipulation of the BRANCH_ID argument triggers the injection. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability enables remote exploitation without authentication or user interaction. An attacker can send crafted requests to the BRANCH_ID parameter, potentially leading to unauthorized access to database information (low confidentiality impact), modification of data (low integrity impact), or limited denial of service (low availability impact). A public exploit is available, increasing the risk of immediate abuse against exposed instances.

Advisories and additional details are available in the referenced sources, including code-projects.org, GitHub issue tracker at github.com/mrpgi/cve/issues/2, and VULDB entries at vuldb.com/submit/796280, vuldb.com/vuln/357028, and vuldb.com/vuln/357028/cti. Security practitioners should review these for any patch information or workarounds, as the vulnerability was published on 2026-04-13. The public exploit underscores the need for urgent patching or network segmentation of affected systems.

EU & UK References

Vulnerability details

A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCH_ID results in sql injection. The attack is possible to be…

more

carried out remotely. The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in a public-facing web application (PHP-based management system) directly enables remote unauthenticated exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Code Projects
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating untrusted inputs like the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php to block SQL injection manipulation.

prevent

Mandates timely identification, reporting, and correction of the specific SQL injection flaw in the Vehicle Showroom Management System.

prevent

Vulnerability scanning detects SQL injection issues like CVE-2026-6148 in web applications, enabling proactive remediation.

References