Description
A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in the Simple ChatBox application allows an attacker to inject arbitrary SQL code via the \\"msg\\" parameter in the \\"insert.php\\" endpoint. The code is incorporated into a database query without proper sanitization, so a crafted request can execute SQL statements beyond the intended scope. This results in potential read or modify access to the underlying database, compromising data confidentiality, integrity, or availability for the affected application. The vulnerability is listed publicly and can be triggered by any network user over HTTP.

Affected Systems

The issue affects code-projects Simple ChatBox version 1.0 and prior releases. The attack vector is the publicly exposed \\"/chatbox/insert.php\\" endpoint, which accepts user supplied "msg" data from external users. Any host running this software without a newer patched version remains susceptible.

Risk and Exploitability

The Common Vulnerability Scoring System assigns a score of 6.9, indicating a moderate to high severity. An exploit probability metric is not available and the vulnerability is not catalogued by CISA. Because the input can be supplied remotely, the attack requires no special local access or privileged credentials. The exposure is global, making it a legitimate threat for any unpatched installation.

Generated by OpenCVE AI on April 13, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the code-projects website or repository for an updated release that fixes the SQL injection flaw and apply the patch or upgrade to a non‑affected version.
  • If no patch is immediately available, restrict database permissions for the account used by the application to the minimal required set, limiting the impact of any injected commands.
  • Implement input validation or parameterized queries for the "msg" parameter to eliminate unsanitized SQL concatenation.

Generated by OpenCVE AI on April 13, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects simple Chatbox
Vendors & Products Code-projects
Code-projects simple Chatbox

Mon, 13 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Simple ChatBox Endpoint insert.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Simple Chatbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T04:45:13.164Z

Reserved: 2026-04-12T18:11:03.819Z

Link: CVE-2026-6161

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T05:16:05.630

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-6161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:07Z

Weaknesses