Description
A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection that can compromise the database
Action: Apply patch
AI Analysis

Impact

A vulnerability exists in the Coaching Management System 1.0, specifically within the /cims/modules/admin/reply.php POST handler. By manipulating the complaintreply parameter, an attacker can inject arbitrary SQL statements. This is a classic example of CWE‑74 and CWE89 and can lead to unauthorized read or modification of the system database, potentially exposing sensitive information or corrupting data.

Affected Systems

The affected system is the code‑projects Coaching Management System 1.0. The vulnerability resides in the admin reply.php module and is reachable via HTTP POST when the application is deployed. Any instance of version 1.0 that exposes the module over the network is susceptible.

Risk and Exploitability

With a CVSS score of 5.3 the risk is moderate, and the exploit is considered remote because the vulnerability can be triggered by an external HTTP request to the reply.php endpoint. The EPSS score is not available, and the flaw is not yet listed in the CISA KEV catalog. Because the exploit has been made public, an attacker could leverage existing exploit code to perform SQL injection against the database.

Generated by OpenCVE AI on April 28, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Coaching Management System once released by code‑projects.
  • Restrict access to the admin area to authorized personnel only.
  • Validate and whitelist input for complaintreply or use prepared statements to avoid SQL injection.
  • Monitor logs for anomalous activity.

Generated by OpenCVE AI on April 28, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects coaching Management System
Vendors & Products Code-projects
Code-projects coaching Management System

Tue, 28 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Title code-projects Coaching Management System POST reply.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Coaching Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T12:33:12.000Z

Reserved: 2026-04-27T15:45:10.536Z

Link: CVE-2026-7229

cve-icon Vulnrichment

Updated: 2026-04-28T12:33:02.200Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T07:16:03.730

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses