CVE-2026-0699 - Vulnerability Details

- code-projects Intern Membership Management System edit_activity.php sql injection

Description

A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

Published: 2026-01-08

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Intern Membership Management System version 1.0 that allows an external actor to manipulate the activity_id parameter in edit_activity.php. By submitting crafted input, an attacker can trigger an SQL injection that permits arbitrary SQL statements to be executed against the underlying database. This can result in unauthorized disclosure or alteration of data stored by the application.

Affected Systems

The affected product is Intern Membership Management System from code‑projects, version 1.0, specifically the file /intern/admin/edit_activity.php. The injection is tied to the activity_id argument used within the administrative interface.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating moderate severity. The EPSS score is below 1%, reflecting a low probability of exploitation at present, although the exploitation code has been made public. The vulnerability is not listed in CISA’s KEV catalog. Attackers can reach the vulnerable endpoint over the network; remote exploitation is possible, and without mitigation an attacker could inject SQL commands that compromise database confidentiality and integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Intern Membership Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:carmelo:intern_membership_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Code-projects	Intern Membership Management System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Replace the vulnerable code with prepared statements or stored procedures that use parameterized queries for the activity_id value.
Validate and sanitize any user-supplied activity_id input before it is sent to the database, rejecting non‑numeric or malformed values.
Restrict access to the /admin path so that only authenticated and authorized users can invoke edit_activity.php, optionally employing IP whitelisting or multi‑factor authentication.

Generated by OpenCVE AI on April 18, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20activity.php%20sql%20injection.md
https://vuldb.com/?ctiid.339976
https://vuldb.com/?id.339976
https://vuldb.com/?submit.733000

History

Mon, 12 Jan 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Carmelo Carmelo intern Membership Management System
CPEs		cpe:2.3:a:carmelo:intern_membership_management_system:1.0:::::::*
Vendors & Products		Carmelo Carmelo intern Membership Management System

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects intern Membership Management System
Vendors & Products		Code-projects Code-projects intern Membership Management System

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Title		code-projects Intern Membership Management System edit_activity.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20activity.php%20sql%20injection.md https://vuldb.com/?ctiid.339976 https://vuldb.com/?id.339976 https://vuldb.com/?submit.733000
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Carmelo Intern Membership Management System

Code-projects Intern Membership Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-08T06:32:05.540Z

Updated: 2026-02-23T08:23:09.830Z

Reserved: 2026-01-07T21:38:59.696Z

Link: CVE-2026-0699

Vulnrichment

Updated: 2026-01-08T15:27:46.149Z

NVD

Status : Analyzed

Published: 2026-01-08T07:15:49.460

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0699

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object