CVE-2026-5805 - Vulnerability Details

- code-projects Easy Blog Site contact_us.php sql injection

Description

A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-04-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness exists in Easy Blog Site up to version 1.0 that permits the injection of arbitrary SQL through the Name parameter in the contact_us.php file. By manipulating this input, an attacker can execute unintended SQL commands against the underlying database. The impact may include unauthorized data retrieval or modification, depending on the database schema and the commands executed. The description does not specify the exact privileges or sensitive data that can be accessed, so the precise scope remains uncertain. The vulnerability is identified as a remote attack vector, and a public exploit has been released, indicating that remote exploitation is feasible without requiring authentication.

Affected Systems

All installations of code‑projects Easy Blog Site running version 1.0 or earlier are affected. The contact_us.php page is publicly accessible, so any web server hosting this application can be targeted.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the medium‑to‑high range. A publicly available exploit and the ability to trigger the issue from any remote host increase the likelihood of real‑world attacks, even though the EPSS score is unavailable and the issue is not listed in KEV. Attackers must craft a request to contact_us.php and supply a malicious value for the Name field to exploit the injection

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Easy Blog Site

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Easy Blog Site

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Easy Blog Site to a version newer than 1.0 or apply any vendor‑issued patch if one becomes available
Validate and sanitize the Name input using parameterized queries or prepared statements to prevent SQL injection
Restrict access to the contact_us.php page by enabling authentication or applying IP‑based access controls
Monitor web server logs for suspicious POST requests to contact_us.php and investigate any anomalies

Generated by OpenCVE AI on April 8, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Easy%20Blog%20Site%20PHP%20name%20Parameter.md
https://vuldb.com/submit/787031
https://vuldb.com/vuln/356243
https://vuldb.com/vuln/356243/cti

History

Thu, 09 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects easy Blog Site
Vendors & Products		Code-projects Code-projects easy Blog Site

Wed, 08 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title		code-projects Easy Blog Site contact_us.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Easy%20Blog%20Site%20PHP%20name%20Parameter.md https://vuldb.com/submit/787031 https://vuldb.com/vuln/356243 https://vuldb.com/vuln/356243/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Easy Blog Site

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-08T20:30:18.416Z

Updated: 2026-04-09T16:17:06.443Z

Reserved: 2026-04-08T14:39:44.634Z

Link: CVE-2026-5805

Vulnrichment

Updated: 2026-04-09T14:54:09.347Z

NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:02.200

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-5805

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object