CVE-2026-5034 describes a SQL Injection vulnerability discovered in code-projects Accounting System version 1.0. This flaw resides within the /editcostumer.php file, specifically in how it handles the 'cosid' argument. Successful exploitation could allow an attacker to manipulate the database, potentially leading to data breaches and unauthorized access. A public exploit is already available.
The SQL Injection vulnerability in code-projects Accounting System allows an attacker to inject malicious SQL code into the 'cosid' parameter of the /editcostumer.php endpoint. This can be exploited remotely without authentication. An attacker could use this to bypass authentication checks, extract sensitive data such as customer information, financial records, or user credentials, and potentially modify or delete data within the database. Depending on the database user's privileges, an attacker might even be able to gain control of the underlying server. The availability of a public exploit significantly increases the risk of exploitation.
The vulnerability is publicly known with a proof-of-concept exploit already available, indicating a high probability of exploitation. It was disclosed on 2026-03-29. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Attackers are likely to leverage the available exploit to target vulnerable instances of code-projects Accounting System.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5034 is to upgrade to a patched version of code-projects Accounting System. Since a fixed version is not specified, thoroughly review the vendor's website or contact their support for the latest release. As a temporary workaround, implement strict input validation on the 'cosid' parameter in /editcostumer.php, ensuring that it only accepts expected data types and formats. Web Application Firewalls (WAFs) can be configured to detect and block SQL Injection attempts targeting this endpoint. Regularly monitor database logs for suspicious activity.
Update the Accounting System to a patched version that corrects the SQL injection (SQL Injection) vulnerability in the edit_costumer.php file. If no version is available, it is recommended to contact the vendor for a patch or consider more secure alternatives.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5034 is a SQL Injection vulnerability affecting code-projects Accounting System version 1.0, allowing attackers to manipulate database queries through the /edit_costumer.php file.
If you are using code-projects Accounting System version 1.0, you are potentially affected. Check the vendor's website for updates or contact their support.
Upgrade to the latest patched version of code-projects Accounting System. Implement input validation and consider using a WAF as temporary mitigations.
A public proof-of-concept exploit is available, indicating a high likelihood of active exploitation.
Refer to the code-projects website or contact their support for the official advisory regarding CVE-2026-5034.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.