Scan free
HIGHCVE-2026-5034CVSS 7.3

CVE-2026-5034: SQL Injection in Accounting System

Platform

php

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-5034 describes a SQL Injection vulnerability discovered in code-projects Accounting System version 1.0. This flaw resides within the /editcostumer.php file, specifically in how it handles the 'cosid' argument. Successful exploitation could allow an attacker to manipulate the database, potentially leading to data breaches and unauthorized access. A public exploit is already available.

Impact and Attack Scenarios

The SQL Injection vulnerability in code-projects Accounting System allows an attacker to inject malicious SQL code into the 'cosid' parameter of the /editcostumer.php endpoint. This can be exploited remotely without authentication. An attacker could use this to bypass authentication checks, extract sensitive data such as customer information, financial records, or user credentials, and potentially modify or delete data within the database. Depending on the database user's privileges, an attacker might even be able to gain control of the underlying server. The availability of a public exploit significantly increases the risk of exploitation.

Exploitation Context

The vulnerability is publicly known with a proof-of-concept exploit already available, indicating a high probability of exploitation. It was disclosed on 2026-03-29. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Attackers are likely to leverage the available exploit to target vulnerable instances of code-projects Accounting System.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report
NextGuard10–15% still vulnerable

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Vendorcode-projects
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-89CWE-74

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 56 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-5034 is to upgrade to a patched version of code-projects Accounting System. Since a fixed version is not specified, thoroughly review the vendor's website or contact their support for the latest release. As a temporary workaround, implement strict input validation on the 'cosid' parameter in /editcostumer.php, ensuring that it only accepts expected data types and formats. Web Application Firewalls (WAFs) can be configured to detect and block SQL Injection attempts targeting this endpoint. Regularly monitor database logs for suspicious activity.

How to fix

Update the Accounting System to a patched version that corrects the SQL injection (SQL Injection) vulnerability in the edit_costumer.php file. If no version is available, it is recommended to contact the vendor for a patch or consider more secure alternatives.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5034 — SQL Injection in code-projects Accounting System?

CVE-2026-5034 is a SQL Injection vulnerability affecting code-projects Accounting System version 1.0, allowing attackers to manipulate database queries through the /edit_costumer.php file.

Am I affected by CVE-2026-5034 in code-projects Accounting System?

If you are using code-projects Accounting System version 1.0, you are potentially affected. Check the vendor's website for updates or contact their support.

How do I fix CVE-2026-5034 in code-projects Accounting System?

Upgrade to the latest patched version of code-projects Accounting System. Implement input validation and consider using a WAF as temporary mitigations.

Is CVE-2026-5034 being actively exploited?

A public proof-of-concept exploit is available, indicating a high likelihood of active exploitation.

Where can I find the official code-projects advisory for CVE-2026-5034?

Refer to the code-projects website or contact their support for the official advisory regarding CVE-2026-5034.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs