CVE-2026-7070
Published: 27 April 2026
Summary
CVE-2026-7070 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7070 is a SQL injection vulnerability affecting code-projects Inventory Management System version 1.0. The flaw resides in an unknown function within the Login component, where manipulation of the Username argument enables SQL code injection. Published on 2026-04-27, it is associated with CWE-74 and CWE-89, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rating it as high severity.
Remote attackers can exploit this vulnerability without requiring privileges or user interaction, launching attacks over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL queries.
Advisories and references, including those from VulDB (vuldb.com/vuln/359645, vuldb.com/vuln/359645/cti, vuldb.com/submit/798696) and a GitHub repository (github.com/MyMySSS/CVE123/blob/main/cve/cve.md), provide further details, along with the software's page at code-projects.org. The exploit is publicly available, heightening the potential for real-world attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25746
Vulnerability details
A weakness has been identified in code-projects Inventory Management System 1.0. Affected is an unknown function of the component Login. Executing a manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit…
more
has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing login component of web app directly enables T1190 Exploit Public-Facing Application for initial access via network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SQL injection flaw in the Inventory Management System 1.0 login component by applying patches or fixes for this specific CVE.
Validates and sanitizes the Username input in the login function to block SQL injection payloads before they reach the database query.
Restricts Username inputs to authorized formats, lengths, and character sets, reducing the feasibility of SQL injection manipulations.