CVE-2026-6183
Published: 13 April 2026
Summary
CVE-2026-6183 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6183 is a SQL injection vulnerability affecting code-projects Simple Content Management System version 1.0. The flaw resides in an unknown functionality of the file /web/index.php, where manipulation of the ID argument triggers the injection. It has been assigned CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can manipulate the ID parameter to inject malicious SQL payloads, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption. An exploit has been publicly released on GitHub, increasing the risk of widespread attacks against exposed instances.
Advisories and details are documented on VulDB (vuldb.com/vuln/357106) and related pages, along with the project site at code-projects.org. No specific patches or mitigations are detailed in the CVE description, but security practitioners should review these references for updates and apply input validation or parameterized queries to the affected endpoint. The public exploit availability heightens the urgency for scanning and remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21981
Vulnerability details
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the…
more
attack is possible. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection in a publicly accessible web application (/web/index.php) with no authentication required directly enables remote exploitation of a public-facing app, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of the ID argument in /web/index.php to block malicious SQL payloads.
Requires timely flaw remediation to patch the SQL injection vulnerability in Simple Content Management System 1.0.
Mandates vulnerability scanning to identify the SQL injection flaw in /web/index.php for prioritization and remediation.