Cyber Resilience

CVE-2026-6151

Medium

Published: 13 April 2026

Published
13 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6151 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6151 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Vehicle Showroom Management System 1.0. The issue resides in unknown code within the file /util/PaymentStatusFunction.php, where manipulation of the CUSTOMER_ID argument enables SQL injection. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating network-accessible exploitation with low complexity, no privileges or user interaction required, and limited impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by crafting malicious requests targeting the CUSTOMER_ID parameter in PaymentStatusFunction.php. Successful attacks allow partial disclosure of sensitive data, modification of database contents, or limited denial of service, depending on the backend database and application configuration. A public exploit exists and could be used against exposed instances of the software.

Advisories and references, including those from VulDB (vuldb.com/vuln/357031 and related entries) and a GitHub issue (github.com/zheng-lv/CVE-/issues/2), document the vulnerability details and submission. The code-projects.org site hosts the affected software, but no specific patch or mitigation steps are detailed in the available information. Security practitioners should review these sources for updates and consider input validation or upgrading the application.

EU & UK References

Vulnerability details

A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/PaymentStatusFunction.php. The manipulation of the argument CUSTOMER_ID results in sql injection. It is possible to launch the attack remotely. The exploit…

more

has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a publicly accessible web application (Vehicle Showroom Management System) allowing unauthenticated remote exploitation via crafted requests to a PHP endpoint, directly enabling initial access through exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Code Projects
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by validating and sanitizing the CUSTOMER_ID input parameter against expected syntax and semantics.

preventrecover

SI-2 requires timely identification and remediation of the SQL injection flaw in PaymentStatusFunction.php.

prevent

SI-9 enforces restrictions on CUSTOMER_ID inputs to specific types, formats, and lengths, blocking malicious SQL payloads.

References