CVE-2026-6490
Published: 17 April 2026
Summary
CVE-2026-6490 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6490 is a SQL injection vulnerability in QueryMine SMS up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. The issue affects an unknown function in the file admin/deletecourse.php within the GET Request Parameter Handler component, where manipulation of the ID argument triggers the injection. QueryMine SMS follows a rolling release model, so specific affected or patched version details are unavailable.
The vulnerability is remotely exploitable with network access, low attack complexity, no privileges or user interaction required, and unchanged scope, earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low impacts on confidentiality, integrity, and availability. An exploit is publicly available and could be used in attacks.
Advisories from VulDB detail the vulnerability (ID 358034) and recent threat intelligence, stemming from a submission on 2026-04-17. A GitHub repository provides a deployment document for QueryMine SMS on Windows. The vendor was notified early but provided no response, and no patches or mitigations are specified due to the rolling release model.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23427
Vulnerability details
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be…
more
initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in publicly accessible web app (admin/deletecourse.php) directly enables remote exploitation of public-facing application with no auth required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing the ID GET parameter in admin/deletecourse.php before database query execution.
Remediates the specific SQL injection flaw in QueryMine SMS's deletecourse.php through timely patching, code fixes, or workarounds despite the rolling release model.
Implements boundary protection such as web application firewalls to monitor and block SQL injection payloads targeting the vulnerable admin/deletecourse.php endpoint.