Cyber Resilience

CVE-2026-6161

Medium

Published: 13 April 2026

Published
13 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6161 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6161 is a SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Simple ChatBox up to version 1.0. The flaw exists in the /chatbox/insert.php endpoint of the component, where manipulation of the 'msg' argument enables SQL injection. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Unauthenticated remote attackers can exploit this vulnerability with low complexity over the network. By crafting malicious input for the 'msg' parameter, attackers can inject SQL payloads, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.

Advisories and references, including VulDB entries (vuldb.com/vuln/357041) and a GitHub proof-of-concept (github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md), confirm the exploit has been publicly disclosed and may be utilized. No patches are detailed in the provided information; practitioners should review the project site (code-projects.org) and apply input sanitization or upgrades if available.

The exploit's public availability heightens risk for deployments of this chat application.

EU & UK References

Vulnerability details

A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to…

more

launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web app (/chatbox/insert.php) directly enables remote unauthenticated exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Code Projects
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of the untrusted 'msg' input parameter in the /chatbox/insert.php endpoint.

prevent

Ensures timely identification, reporting, and remediation of the specific SQL injection flaw in Simple ChatBox up to version 1.0.

detect

Vulnerability scanning identifies the SQL injection vulnerability in the chatbox component, enabling proactive mitigation.

References