Description
A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-01-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

An unknown function in /intern/admin/edit_admin.php allows attackers to manipulate the admin_id argument, resulting in an SQL injection flaw. By sending crafted values for admin_id, an adversary can embed arbitrary SQL statements into the database query. The consequence is the potential to read, modify, or delete data stored in the application’s database, thereby compromising the confidentiality and integrity of sensitive information and administrative records.

Affected Systems

The vulnerability affects the code-projects Intern Membership Management System version 1.0. All users running this version operate the edit_admin.php endpoint that is susceptible to the injection flaw. The vulnerability is identified by the corresponding CPE but is not limited to any specific deployment topology or configuration beyond the presence of the default edit_admin.php file.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog, but published exploit code exists, implying that an attacker could launch a remote attack by submitting a malicious admin_id parameter to the edit_admin.php page. The revised context stresses the need to control remote access to this endpoint and to monitor for exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or newer release of Intern Membership Management System that removes the SQL injection vulnerability in edit_admin.php.
  • If a patch is not immediately available, edit the edit_admin.php source to validate and sanitize the admin_id input, using parameterized queries or prepared statements instead of directly embedding the value into SQL commands.
  • Restrict HTTP access to the edit_admin.php endpoint by firewall rules, IP whitelisting, or network segmentation so that only authorized administrative hosts can reach it.
  • Audit web server logs for anomalous admin_id parameters and set alerts for repeated attempts to access edit_admin.php with suspicious payloads.

Generated by OpenCVE AI on April 18, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo intern Membership Management System
CPEs cpe:2.3:a:carmelo:intern_membership_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo intern Membership Management System

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects intern Membership Management System
Vendors & Products Code-projects
Code-projects intern Membership Management System

Thu, 08 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title code-projects Intern Membership Management System edit_admin.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Carmelo Intern Membership Management System
Code-projects Intern Membership Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:22:43.968Z

Reserved: 2026-01-07T21:38:50.762Z

Link: CVE-2026-0697

cve-icon Vulnrichment

Updated: 2026-01-08T15:51:54.749Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T05:16:02.963

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses