Description
A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper handling of the 'User' argument in the login.php file of the Parameters Handler component. An attacker can inject arbitrary SQL through this parameter, allowing unauthorized access to, or manipulation of, the underlying database. Because the flaw is exploitable remotely, a malicious actor could retrieve sensitive data, alter records, or potentially execute further queries, creating significant confidentiality and integrity risks.

Affected Systems

This issue affects Projectworlds Online Notes Sharing System version 1.0. It is not localized to any subcomponent beyond the login.php endpoint, and the flaw is present in that single version release.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate severity level. While an exploit is publicly available and can be triggered remotely without requiring special credentials, no EPSS score is published and the vulnerability is not listed in the CISA KEV catalog. Consequently, organizations using the affected version should prioritize patching or mitigating access to the vulnerable endpoint to reduce the likelihood of exploitation.

Generated by OpenCVE AI on March 22, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Projectworlds project repository or vendor website for an updated release or patch that addresses the login.php SQL injection.
  • When the patch becomes available, apply it immediately or upgrade to the latest stable version of the Online Notes Sharing System.
  • Restrict the /login.php endpoint to trusted IP addresses or enforce multi-factor authentication for user access.
  • Deploy a web application firewall rule that detects and blocks suspicious SQL injection payloads targeting the User parameter.
  • Continuously monitor authentication logs for abnormal login attempts and review database access logs for unauthorized queries.

Generated by OpenCVE AI on March 22, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Projectworlds
Projectworlds online Notes Sharing Platform
Vendors & Products Projectworlds
Projectworlds online Notes Sharing Platform

Sun, 22 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument Benutzer results in SQL Injection. The attack can be executed remotely. The exploit is now public and may be used. A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

Sun, 22 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in projectworlds Online Notes Sharing System 1.0. This issue affects some unknown processing of the file /login.php of the component Parameters Handler. The manipulation of the argument Benutzer results in SQL Injection. The attack can be executed remotely. The exploit is now public and may be used.
Title projectworlds Online Notes Sharing System Parameters login.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Projectworlds Online Notes Sharing Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-24T14:33:25.772Z

Reserved: 2026-03-21T15:05:58.119Z

Link: CVE-2026-4540

cve-icon Vulnrichment

Updated: 2026-03-24T14:33:11.344Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T08:15:59.800

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:36Z

Weaknesses