Description
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-04-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection Leading to Unauthorized Data Access
Action: Apply Patch
AI Analysis

Impact

A SQL injection flaw exists in the VehicleDetailsFunction.php file of the Vehicle Showroom Management System. By manipulating the VEHICLE_ID argument, an attacker can inject arbitrary SQL statements into the database query. This vulnerability is remote and can be triggered by any user capable of sending requests to the affected endpoint, potentially enabling unauthorized data exposure, data alteration, or privilege escalation depending on the database configuration.

Affected Systems

The affected product is code‑projects Vehicle Showroom Management System, version 1.0. No other versions or product variants are listed in the available data.

Risk and Exploitability

The vulnerability has a CVSS v3.1 score of 6.9, indicating a moderate to high severity. The EPSS score is unavailable, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication, and public exploits have already been disclosed.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an update or patch from code-projects that addresses the SQL injection in VehicleDetailsFunction.php.
  • Restrict or block external access to the endpoint that processes the VEHICLE_ID parameter until a fix is deployed.
  • Implement server‑side validation to ensure VEHICLE_ID is numeric and free from injected SQL.
  • Review database permissions to limit query privileges for the application user.
  • Monitor application logs for suspicious query patterns involving VEHICLE_ID.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Title code-projects Vehicle Showroom Management System VehicleDetailsFunction.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T11:45:05.181Z

Reserved: 2026-04-09T16:22:34.734Z

Link: CVE-2026-6036

cve-icon Vulnrichment

Updated: 2026-04-10T11:44:59.123Z

cve-icon NVD

Status : Received

Published: 2026-04-10T09:16:24.787

Modified: 2026-04-10T09:16:24.787

Link: CVE-2026-6036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:23Z

Weaknesses