CVE-2026-6149
Published: 13 April 2026
Summary
CVE-2026-6149 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6149 is a SQL injection vulnerability affecting code-projects Vehicle Showroom Management System 1.0. The issue resides in an unknown functionality of the file /util/BookVehicleFunction.php, where manipulation of the BRANCH_ID argument triggers the injection. This flaw, associated with CWE-74 and CWE-89, was published on 2026-04-13 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can perform the manipulation over the network with low complexity, potentially achieving limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and further details are documented in references including https://code-projects.org/, https://github.com/mrpgi/cve/issues/4, https://vuldb.com/submit/796282, https://vuldb.com/vuln/357029, and https://vuldb.com/vuln/357029/cti. The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21776
Vulnerability details
A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Affected by this issue is some unknown functionality of the file /util/BookVehicleFunction.php. Executing a manipulation of the argument BRANCH_ID can lead to sql injection. The attack may be…
more
performed from remote. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated SQL injection vulnerability in a publicly accessible web application (Vehicle Showroom Management System), directly enabling remote exploitation of a public-facing app over the network with low complexity.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the BRANCH_ID parameter in BookVehicleFunction.php to prevent SQL injection exploitation.
Mandates timely identification, reporting, and correction of the specific SQL injection flaw documented in CVE-2026-6149.
Enables vulnerability scanning to identify SQL injection issues like the BRANCH_ID manipulation in the affected application.