Description
A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. This affects an unknown part of the file /addcat.php. Performing a manipulation of the argument cata results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

An SQL injection vulnerability exists in the addcat.php component of Lost and Found Thing Management version 1.0, triggered by manipulating the cata parameter. This flaw allows an attacker to execute arbitrary SQL statements against the underlying database, potentially leading to data disclosure, alteration, or deletion. The weakness is consistent with CWE-89, reflecting improper handling of user input in database queries.

Affected Systems

The affected system is code-projects Sent Lost and Found Thing Management 1.0. Users running this specific version of the web application are susceptible to exploit unless updated or patched.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating a moderate to high risk level. An attacker can exploit the flaw remotely by sending crafted HTTP requests, and public exploit code has already been released. While EPSS data is not available, the lack of listing in the KEV catalog does not diminish the likelihood or severity of exploitation, especially for deployments still using the unpatched version.

Generated by OpenCVE AI on April 13, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's website for a patch or newer release of Lost and Found Thing Management and apply it as soon as available.
  • If no patch exists, restrict access to the addcat.php endpoint or remove the related functionality until a fix can be applied.
  • Implement input validation or use parameterized queries for the cata parameter to prevent SQL injection if code modifications are possible.

Generated by OpenCVE AI on April 13, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects lost And Found Thing Management
Vendors & Products Code-projects
Code-projects lost And Found Thing Management

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. This affects an unknown part of the file /addcat.php. Performing a manipulation of the argument cata results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Lost and Found Thing Management addcat.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Lost And Found Thing Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T13:08:34.957Z

Reserved: 2026-04-12T20:43:28.305Z

Link: CVE-2026-6164

cve-icon Vulnrichment

Updated: 2026-04-13T13:08:31.403Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T06:16:07.160

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-6164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:49Z

Weaknesses