Description
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-01-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that may allow remote attackers to read, modify, or delete activities in the system
Action: Immediate Patch
AI Analysis

Impact

An attacker can manipulate the activity_id parameter in delete_activity.php to inject arbitrary SQL. The flaw is a classic formulation, matching CWE-74 and CWE-89, and can lead to unauthorized data exposure, alteration, or deletion via the database backend. The CVE description indicates the vulnerability exists in the public interface and that an exploit has been publicly disclosed.

Affected Systems

The affected product is Code-Projects Intern Membership Management System version 1.0. This web application is hosted by the vendor code‑projects and the vulnerable component resides in the admin interface at /admin/delete_activity.php.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is considered moderate. However the EPSS score is below 1 % and it is not listed in the CISA KEV catalog, suggesting that current exploit activity is limited. The attack vector is remote; an unauthenticated user can send a crafted request to delete_activity.php with a malicious activity_id value to enable the injection. While no additional privileged access is explicitly required, the lack of authentication or input filtering raises the risk of accidental or intentional data compromise.

Generated by OpenCVE AI on April 18, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or newer release that validates or sanitizes the activity_id parameter before it is used in SQL queries. If no patch is available, disable or remove the delete_activity.php endpoint from the public web path, or restrict it to authenticated users only. Ensure that the application performs strict type checking or uses prepared statements to eliminate unchecked user input from the SQL statement. Optionally, enable web‑application firewall rules that block typical SQL injection patterns targeting the activity_id parameter.
  • Consult the vendor’s website or repository for a future update; if one is not forthcoming, consider moving the application to an environment where database access is limited or use a read‑only interface for the delete operation.
  • Add server‑side validation that the activity_id parameter contains only numeric characters and reject or sanitize non‑numeric input before executing the query.

Generated by OpenCVE AI on April 18, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo intern Membership Management System
CPEs cpe:2.3:a:carmelo:intern_membership_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo intern Membership Management System

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects intern Membership Management System
Vendors & Products Code-projects
Code-projects intern Membership Management System

Sun, 11 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Intern Membership Management System delete_activity.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Carmelo Intern Membership Management System
Code-projects Intern Membership Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:31:13.750Z

Reserved: 2026-01-11T09:08:54.084Z

Link: CVE-2026-0850

cve-icon Vulnrichment

Updated: 2026-01-12T16:49:56.175Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-11T23:15:46.090

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses