Description
A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin_costumer.php of the component Parameter Handler. Such manipulation of the argument cos_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the file /viewin_costumer.php of the Parameter Handler in code-projects Accounting System 1.0. By manipulating the cos_id argument, an attacker can inject arbitrary SQL statements, potentially leading to unauthorized data disclosure, modification or deletion. The attack is carried out by sending crafted HTTP requests to the web server, making the weakness exploitable from a remote location. The weaknesses correspond to CWE‑74 (Improper Filtering or Sanitization) and CWE‑89 (Improper Neutralization of Special Elements used in an SQL Command).

Affected Systems

code-projects Accounting System version 1.0 is affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, suggesting significant impact if exploited. No EPSS score is available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the public disclosure of the exploit implies that it can be used by attackers. The exploit requires a remote web request targeting the cos_id parameter, and no additional preconditions are listed in the description.

Generated by OpenCVE AI on March 31, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an update or patch provided by code‑projects for Accounting System 1.0 to fix the SQL injection in viewin_costumer.php.
  • If an official patch is not available, modify the application to sanitize or parameterize the cos_id input before it is used in SQL queries.
  • Deploy a Web Application Firewall to block malicious SQL injection attempts.
  • Regularly run vulnerability scans to detect any unpatched instances.

Generated by OpenCVE AI on March 31, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin_costumer.php of the component Parameter Handler. Such manipulation of the argument cos_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Accounting System Parameter viewin_costumer.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T14:16:59.045Z

Reserved: 2026-03-30T13:27:33.863Z

Link: CVE-2026-5150

cve-icon Vulnrichment

Updated: 2026-03-31T14:16:47.832Z

cve-icon NVD

Status : Received

Published: 2026-03-30T20:16:24.080

Modified: 2026-03-30T20:16:24.080

Link: CVE-2026-5150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:02Z

Weaknesses