{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5035", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T16:13:42.461Z", "datePublished": "2026-03-29T07:00:18.136Z", "dateUpdated": "2026-03-30T15:52:58.977Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-29T07:00:18.136Z"}, "title": "code-projects Accounting System Parameter view_work.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Accounting System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T17:18:46.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Xu Zhihan (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353961", "name": "VDB-353961 | code-projects Accounting System Parameter view_work.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353961/cti", "name": "VDB-353961 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778603", "name": "Submit #778603 | code-projects Accounting System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Xu-Zhihan/CVE/issues/8", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:52:47.931472Z", "id": "CVE-2026-5035", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:58.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5035", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:52:47.931472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:53.264Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Accounting System Parameter view_work.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "Xu Zhihan (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "code-projects", "modules": ["Parameter Handler"], "product": "Accounting System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-27T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-27T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-27T17:18:46.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/353961", "name": "VDB-353961 | code-projects Accounting System Parameter view_work.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353961/cti", "name": "VDB-353961 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778603", "name": "Submit #778603 | code-projects Accounting System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Xu-Zhihan/CVE/issues/8", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-29T07:00:18.136Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5035", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:52:58.977Z", "dateReserved": "2026-03-27T16:13:42.461Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-29T07:00:18.136Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sherlock:accounting_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "98BBE2CC-9167-40F4-A301-0FC5EA791422", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en code-projects Accounting System 1.0. Esto afecta una parte desconocida del archivo /view_work.php del componente Gestor de Par\u00e1metros. Tal manipulaci\u00f3n del argumento en_id conduce a inyecci\u00f3n SQL. Es posible lanzar el ataque remotamente. El exploit ha sido divulgado al p\u00fablico y puede ser utilizado."}], "id": "CVE-2026-5035", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-29T07:15:56.793", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/Xu-Zhihan/CVE/issues/8"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/submit/778603"}, {"source": "cna@vuldb.com", "tags": ["VDB Entry", "Third Party Advisory"], "url": "https://vuldb.com/vuln/353961"}, {"source": "cna@vuldb.com", "tags": ["VDB Entry", "Permissions Required"], "url": "https://vuldb.com/vuln/353961/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "accounting_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-03-30T20:37:20.571538+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website for an official patch or update that addresses the SQL injection flaw.", "If no patch is available, restrict direct access to the /view_work.php endpoint or enforce strict authentication for its use.", "Sanitize and validate the en_id parameter, or replace direct queries with parameterized statements to eliminate injection risk.", "Deploy web application firewall rules that detect and block typical SQL injection payloads targeting the en_id field.", "Ensure the database user account used by the application has the minimum privileges required for its operations."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the code\u2011projects Accounting System, specifically any installation of version 1.0 as identified by the component Parameter Handler in view_work.php. No other versions are confirmed to be impacted based on the provided information.", "description_and_impact": "A flaw exists in the Accounting System\u2019s view_work.php file that allows an attacker to supply a crafted value for the en_id parameter. The manipulation of this input enables a classic SQL injection, which can lead to unauthorized data exposure, data modification, or account compromise. The weakness is rooted in improper handling of user-supplied data, matching the CWE-74 and CWE-89 classes of web application vulnerabilities. The impact is limited to the data accessed through the vulnerable endpoint but can be significant if sensitive accounting records are retrievable or tampered with.", "risk_and_exploitability": "The CVSS score of 6.9 places the flaw in the medium to high severity range, while the EPSS score of less than 1% indicates a low probability of exploitation under current conditions. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known public exploitation campaigns. Attackers can exploit the flaw remotely through a web request that targets the en_id argument, potentially gaining database access if proper defensive controls are absent. The risk is primarily contingent on the application\u2019s exposure to untrusted input and the security posture of the underlying database."}}}}, "created": "2026-03-29T20:31:44.082982+00:00", "updated": "2026-03-30T20:56:52.876409+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$accounting_system"]}