CVE-2026-6165
Published: 13 April 2026
Summary
CVE-2026-6165 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6165 is a SQL injection vulnerability affecting code-projects Vehicle Showroom Management System 1.0, specifically in unknown code within the file /util/Login_check.php. The issue arises from improper handling of the ID argument, enabling attackers to execute malicious SQL queries. Published on 2026-04-13, it is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the affected application's database.
Advisories and additional details are available in references including code-projects.org, a GitHub issue at github.com/realnotjoking/cve/issues/2, and VulDB entries at vuldb.com/submit/797090, vuldb.com/vuln/357053, and vuldb.com/vuln/357053/cti, which may outline mitigation steps or patches.
A public exploit for this vulnerability has been made available, increasing the potential for real-world attacks on unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21876
Vulnerability details
A weakness has been identified in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/Login_check.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The…
more
exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (Login_check.php) directly enables remote exploitation for initial access without auth or interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of untrusted inputs like the ID argument in /util/Login_check.php to block malicious SQL queries.
Requires timely flaw remediation, such as patching or updating the vulnerable Vehicle Showroom Management System 1.0 to eliminate the SQL injection in Login_check.php.
Boundary protection with web application firewalls can inspect traffic and block SQL injection attempts targeting the vulnerable endpoint.