CVE-2026-6151
Published: 13 April 2026
Summary
CVE-2026-6151 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6151 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Vehicle Showroom Management System 1.0. The issue resides in unknown code within the file /util/PaymentStatusFunction.php, where manipulation of the CUSTOMER_ID argument enables SQL injection. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating network-accessible exploitation with low complexity, no privileges or user interaction required, and limited impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability by crafting malicious requests targeting the CUSTOMER_ID parameter in PaymentStatusFunction.php. Successful attacks allow partial disclosure of sensitive data, modification of database contents, or limited denial of service, depending on the backend database and application configuration. A public exploit exists and could be used against exposed instances of the software.
Advisories and references, including those from VulDB (vuldb.com/vuln/357031 and related entries) and a GitHub issue (github.com/zheng-lv/CVE-/issues/2), document the vulnerability details and submission. The code-projects.org site hosts the affected software, but no specific patch or mitigation steps are detailed in the available information. Security practitioners should review these sources for updates and consider input validation or upgrading the application.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21780
Vulnerability details
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/PaymentStatusFunction.php. The manipulation of the argument CUSTOMER_ID results in sql injection. It is possible to launch the attack remotely. The exploit…
more
has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible web application (Vehicle Showroom Management System) allowing unauthenticated remote exploitation via crafted requests to a PHP endpoint, directly enabling initial access through exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by validating and sanitizing the CUSTOMER_ID input parameter against expected syntax and semantics.
SI-2 requires timely identification and remediation of the SQL injection flaw in PaymentStatusFunction.php.
SI-9 enforces restrictions on CUSTOMER_ID inputs to specific types, formats, and lengths, blocking malicious SQL payloads.