Platform
php
Component
vehicle-showroom-management-system
Fixed in
1.0.1
CVE-2026-6037 describes a SQL Injection vulnerability discovered in the code-projects Vehicle Showroom Management System. This flaw allows attackers to manipulate database queries through the BRANCH_ID parameter within the /util/AddVehicleFunction.php file, potentially leading to unauthorized data access and modification. Versions 1.0.0 through 1.0 are affected, and a patch is expected to be released by the vendor.
Successful exploitation of CVE-2026-6037 could grant an attacker unauthorized access to sensitive data stored within the Vehicle Showroom Management System's database. This includes customer information (names, addresses, contact details), vehicle inventory data (models, prices, availability), and potentially financial records. An attacker could modify or delete data, leading to operational disruptions and financial losses. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the system to exploit it. The publicly disclosed nature of this exploit increases the risk of immediate exploitation.
CVE-2026-6037 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is confirmed to be exploitable remotely, increasing the attack surface. The availability of a public exploit further elevates the risk. As of the publication date (2026-04-10), there is no indication of active exploitation campaigns, but the public nature of the exploit means this could change rapidly. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6037 is to upgrade to a patched version of the Vehicle Showroom Management System as soon as it becomes available. Until a patch is released, consider implementing input validation and sanitization on the BRANCH_ID parameter within /util/AddVehicleFunction.php to prevent malicious SQL injection attempts. Web application firewalls (WAFs) configured to detect and block SQL injection patterns can also provide a temporary layer of protection. Review and restrict database user permissions to limit the impact of a successful attack.
Update the Vehicle Showroom Management System to a patched version. Verify and sanitize user inputs, especially the BRANCH_ID parameter, to prevent SQL injections (SQL Injection). Implement parameterized queries or stored procedures to interact with the database securely.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6037 is a SQL Injection vulnerability affecting versions 1.0.0–1.0 of the Vehicle Showroom Management System, allowing attackers to manipulate database queries through the BRANCH_ID parameter.
If you are using Vehicle Showroom Management System versions 1.0.0–1.0 and have not applied a patch, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of the Vehicle Showroom Management System. Until a patch is available, implement input validation and sanitization on the BRANCH_ID parameter.
While there is no confirmed active exploitation at this time, the vulnerability has been publicly disclosed and a public exploit exists, increasing the risk of exploitation.
Please refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-6037.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.