CVE-2026-6193
Published: 13 April 2026
Summary
CVE-2026-6193 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6193 is a SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Daily Expense Tracking System 1.1. The issue resides in an unknown function within the /register.php file, where manipulation of the email argument triggers the injection.
The vulnerability is remotely exploitable over the network with low attack complexity and no required privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Unauthenticated attackers can leverage it to achieve limited impacts on confidentiality, integrity, and availability, such as unauthorized data access or modification.
Mitigation details are referenced in advisories at https://github.com/f1rstb100d/CVE/issues/47, https://vuldb.com/vuln/357115, and related VulDB entries, along with the vendor site at https://phpgurukul.com/.
An exploit for this vulnerability has been publicly released, heightening the risk of real-world attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22032
Vulnerability details
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit…
more
has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/register.php) directly enables remote unauthenticated exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of untrusted inputs like the email parameter in register.php to directly prevent SQL injection exploitation.
SI-2 requires timely identification, testing, and remediation of flaws such as the SQL injection vulnerability in /register.php.
RA-5 employs vulnerability scanning to detect SQL injection issues in the application and initiate remediation.