Description
A vulnerability was identified in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is the function fwrite of the file admin/pageMail.php. The manipulation of the argument mailSubject/mailMessage leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-03-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the fwrite function of admin/pageMail.php in version 1.0 of the Chamber of Commerce Membership Management System. By manipulating the mailSubject or mailMessage parameters, an attacker can inject arbitrary commands into the server’s command line, leading to remote command execution. This falls under CWE‑74 (Command Injection) and CWE‑77 (OS Command Injection). Successful exploitation would compromise the confidentiality, integrity and availability of the affected system by enabling an attacker to run arbitrary code on the host.

Affected Systems

The only affected product is the Chamber of Commerce Membership Management System version 1.0, released by code‑projects.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw remotely through the web interface; the exploit is publicly available. The risk is moderate but real, as an attacker who gains access can execute arbitrary commands on the server. Mitigation requires patching or input sanitization to block the injection.

Generated by OpenCVE AI on March 29, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to the latest version of Chamber of Commerce Membership Management System if one is available.
  • If no patch exists, restrict direct access to admin/pageMail.php and ensure that mailSubject and mailMessage inputs are properly escaped or validated before being passed to fwrite.
  • Monitor the application for intrusion attempts and inspect logs for suspicious command executions.

Generated by OpenCVE AI on March 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is the function fwrite of the file admin/pageMail.php. The manipulation of the argument mailSubject/mailMessage leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title code-projects Chamber of Commerce Membership Management System pageMail.php fwrite command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-29T09:45:10.683Z

Reserved: 2026-03-27T16:27:39.333Z

Link: CVE-2026-5041

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-29T10:15:56.747

Modified: 2026-03-29T10:15:56.747

Link: CVE-2026-5041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:31:41Z

Weaknesses