CVE-2026-9584
Description
A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Project Management System 1.0 login allows authentication bypass and admin access.
Vulnerability
The Project Management System 1.0 by code-projects contains a SQL injection vulnerability in the login component, specifically in the file chk.php. The input validation is insufficient, allowing an attacker to inject SQL commands. The vulnerability is present in version 1.0. [2]
Exploitation
An attacker can remotely exploit this by sending a crafted username parameter to the login page. For example, using 1' OR '1'='1' -- q as the username with any password (e.g., 123456) bypasses authentication. The attacker must select the administrator role during login. No prior authentication is required. [2]
Impact
Successful exploitation allows an attacker to bypass authentication and log in as any user, including the administrator. This grants the attacker the highest management privileges, leading to full control over the application and its data. [2]
Mitigation
As of the publication date (2026-05-26), no official patch has been released by code-projects. Users should apply input sanitization and parameterized queries to chk.php as a workaround. The vulnerability is publicly disclosed and may be added to CISA KEV. [2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.