Cyber Resilience

CVE-2026-6490

Medium

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6490 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6490 is a SQL injection vulnerability in QueryMine SMS up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. The issue affects an unknown function in the file admin/deletecourse.php within the GET Request Parameter Handler component, where manipulation of the ID argument triggers the injection. QueryMine SMS follows a rolling release model, so specific affected or patched version details are unavailable.

The vulnerability is remotely exploitable with network access, low attack complexity, no privileges or user interaction required, and unchanged scope, earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low impacts on confidentiality, integrity, and availability. An exploit is publicly available and could be used in attacks.

Advisories from VulDB detail the vulnerability (ID 358034) and recent threat intelligence, stemming from a submission on 2026-04-17. A GitHub repository provides a deployment document for QueryMine SMS on Windows. The vendor was notified early but provided no response, and no patches or mitigations are specified due to the rolling release model.

EU & UK References

Vulnerability details

A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be…

more

initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in publicly accessible web app (admin/deletecourse.php) directly enables remote exploitation of public-facing application with no auth required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing the ID GET parameter in admin/deletecourse.php before database query execution.

prevent

Remediates the specific SQL injection flaw in QueryMine SMS's deletecourse.php through timely patching, code fixes, or workarounds despite the rolling release model.

prevent

Implements boundary protection such as web application firewalls to monitor and block SQL injection payloads targeting the vulnerable admin/deletecourse.php endpoint.

References