CVE-2026-6161
Published: 13 April 2026
Summary
CVE-2026-6161 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6161 is a SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Simple ChatBox up to version 1.0. The flaw exists in the /chatbox/insert.php endpoint of the component, where manipulation of the 'msg' argument enables SQL injection. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low complexity over the network. By crafting malicious input for the 'msg' parameter, attackers can inject SQL payloads, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories and references, including VulDB entries (vuldb.com/vuln/357041) and a GitHub proof-of-concept (github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md), confirm the exploit has been publicly disclosed and may be utilized. No patches are detailed in the provided information; practitioners should review the project site (code-projects.org) and apply input sanitization or upgrades if available.
The exploit's public availability heightens risk for deployments of this chat application.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21854
Vulnerability details
A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/chatbox/insert.php) directly enables remote unauthenticated exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of the untrusted 'msg' input parameter in the /chatbox/insert.php endpoint.
Ensures timely identification, reporting, and remediation of the specific SQL injection flaw in Simple ChatBox up to version 1.0.
Vulnerability scanning identifies the SQL injection vulnerability in the chatbox component, enabling proactive mitigation.