Medium severity6.3NVD Advisory· Published Apr 13, 2026· Updated Apr 29, 2026

CVE-2026-6202

Description

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Easy Blog Site 1.0 post.php is vulnerable to unauthenticated SQL injection via the 'tags' GET parameter, allowing remote attackers to access and manipulate the database.

A SQL injection vulnerability exists in code-projects Easy Blog Site version 1.0. The flaw. The issue is in the post.php file, where the tags GET parameter is directly concatenated into SQL queries without any sanitization or validation [1]. This root cause allows an attacker to inject arbitrary SQL commands through the tags input.

The attack can be initiated remotely without requiring authentication or any special privileges [1]. An attacker simply sends a crafted HTTP GET request to the vulnerable post.php script with malicious SQL in the tags parameter. Proof-of-concept exploit code has been publicly released, demonstrating both boolean-based blind injection techniques [1].

The impact of successful exploitation is severe: an attacker can gain unauthorized access to the underlying database, extract sensitive data (e.g., user credentials, personal information), modify existing data, and under certain conditions achieve complete system compromise or service disruption [1]. Since this is a PHP application with direct database interactions, a successful injection could lead to data leakage, tampering, or service disruption [1].

As of the latest public disclosure, no official patch has been released by the vendor for Easy Blog Site 1.0 [2]. Users of this project are advised to implement input validation and parameterized queries in post.php, or migrate to a supported and maintained blog platform to mitigate this risk [1].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Easy Blog Sitellm-create
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-6202

Credits

Y(
Yeliuyun (VulDB User)
reporter