Description
A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the admin/checklogin.php of Feedback System 1.0. An attacker can manipulate the email argument, causing an SQL query to be executed with injected payload, allowing unauthorized read or modification of database contents. This flaw is a classic SQL injection, mapped to CWE-74 and CWE-89.

Affected Systems

The affected product is code‑projects Feedback System version 1.0. Earlier or later releases are not known to be impacted. The flaw exists in the administration module of that specific release.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is not available, so the exploitation frequency is unclear. The vulnerability is not listed in CISA KEV. The attack can be launched remotely by sending a malicious email parameter to checklogin.php, meaning no prior authentication is required. Successful exploitation may lead to data exposure, alteration, or deletion, and potentially elevate privileges if administrative functions are compromised.

Generated by OpenCVE AI on May 7, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any official patch or upgrade to the latest Feedback System version from code‑projects
  • Replace the vulnerable code with prepared statements or parameterized queries for the email input
  • Validate and sanitize the email argument before use, ensuring only legitimate email formats are accepted

Generated by OpenCVE AI on May 7, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Feedback System checklogin.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T14:43:10.396Z

Reserved: 2026-05-07T13:16:41.793Z

Link: CVE-2026-8098

cve-icon Vulnrichment

Updated: 2026-05-08T14:43:06.232Z

cve-icon NVD

Status : Received

Published: 2026-05-07T21:16:30.900

Modified: 2026-05-07T21:16:30.900

Link: CVE-2026-8098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses