Description
A vulnerability was identified in PHPGurukul News Portal Project 4.1. This issue affects some unknown processing of the file /admin/add-subcategory.php. Such manipulation of the argument sucatdescription leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: SQL Injection
Action: Patch ASAP
AI Analysis

Impact

The vulnerability exists in the admin interface of PHPGurukul News Portal Project, where the sucatdescription parameter is processed without proper sanitization. This allows an attacker to inject arbitrary SQL statements, leading to unauthorized data disclosure or manipulation. The weakness is a classic SQL injection flaw, classified as CWE-89, and also involves improper handling of query fragments, CWE-74. The impact can range from database corruption to full control over the affected system, depending on the privileges of the database account used by the application.

Affected Systems

The affected product is PHPGurukul News Portal Project, version 4.1. No other versions are explicitly listed as vulnerable, but the description specifies "some unknown processing" implying that the flaw may affect any instance using that file without proper input validation.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The attack can be launched remotely and the exploit is publicly available, increasing the likelihood of exploitation in exposed installations.

Generated by OpenCVE AI on April 9, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current version of PHPGurukul News Portal Project; if it is 4.1 or an older build, consider upgrading to the latest release if a fix has been issued.
  • If an upgrade is not possible, apply an input sanitization patch to the /admin/add-subcategory.php script, ensuring that sucatdescription is validated or parameterized using prepared statements.
  • Limit access to the /admin/add-subcategory.php endpoint by requiring authentication and restricting valid IP addresses where feasible.

Generated by OpenCVE AI on April 9, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in PHPGurukul News Portal Project 4.1. This issue affects some unknown processing of the file /admin/add-subcategory.php. Such manipulation of the argument sucatdescription leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
Title PHPGurukul News Portal Project add-subcategory.php sql injection
First Time appeared Phpgurukul
Phpgurukul news Portal Project
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:phpgurukul:news_portal_project:*:*:*:*:*:*:*:*
Vendors & Products Phpgurukul
Phpgurukul news Portal Project
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul News Portal Project
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T03:45:14.278Z

Reserved: 2026-04-08T17:32:27.747Z

Link: CVE-2026-5839

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T05:16:05.780

Modified: 2026-04-09T05:16:05.780

Link: CVE-2026-5839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:01Z

Weaknesses