Vulnerabilities ›

CVE-2026-5150

High

A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin_costumer.php of the component Parameter Handler. Such

CWE-74 — Weakness Type

                    Published: Mar 30, 2026                      ·  Modified: Apr 6, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin_costumer.php of the component Parameter Handler. Such manipulation of the argument cos_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

🤖 AI Executive Summary

CVE-2026-5150 is a critical SQL injection vulnerability in code-projects Accounting System 1.0 affecting the /viewin_costumer.php file through the cos_id parameter. With a CVSS score of 7.3 and publicly disclosed exploit details, this poses an immediate threat to organizations using this accounting software. The vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of financial records.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 7, 2026 01:55

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations in the banking and financial services sector, particularly smaller financial institutions and accounting firms using code-projects Accounting System. Government entities managing financial records through this system are also at risk. The SQL injection vulnerability could compromise sensitive financial data, customer information, and transaction records. Organizations in the healthcare sector using this accounting system for billing and financial management are vulnerable. Given the public disclosure of exploit details, the risk of active exploitation against Saudi organizations is elevated. SAMA-regulated entities and government agencies (under NCA oversight) using this software face compliance violations and potential regulatory penalties.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Accounting and Audit Firms Insurance

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1557 - Man-in-the-Middle T1005 - Data from Local System T1213 - Data from Information Repositories T1040 - Traffic Signaling T1021 - Remote Services T1078 - Valid Accounts

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of code-projects Accounting System 1.0 in your environment and isolate affected systems from production networks if possible

2. Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting /viewin_costumer.php with cos_id parameter manipulation

3. Enable comprehensive logging and monitoring of all database queries and access attempts to the accounting system

PATCHING GUIDANCE:

1. Contact code-projects vendor immediately to request security patches or workarounds

2. If no patch is available, consider migrating to alternative accounting software with active security support

3. Implement input validation and parameterized queries if source code access is available

COMPENSATING CONTROLS:

1. Apply strict input validation on the cos_id parameter - whitelist only numeric values

2. Implement database user accounts with minimal privileges (read-only where possible)

3. Use database activity monitoring (DAM) solutions to detect and alert on suspicious SQL patterns

4. Restrict network access to the accounting system using IP whitelisting and VPN requirements

5. Implement Web Application Firewall rules: Block requests containing SQL keywords (UNION, SELECT, DROP, INSERT, UPDATE, DELETE) in the cos_id parameter

DETECTION RULES:

1. Monitor for HTTP requests to /viewin_costumer.php with cos_id parameter containing SQL metacharacters (', ", ;, --, /*, */)

2. Alert on database error messages returned in HTTP responses from the accounting system

3. Track unusual database query patterns and failed authentication attempts

4. Monitor for data exfiltration attempts following successful SQL injection

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع حالات نظام المحاسبة code-projects الإصدار 1.0 في بيئتك وعزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن

2. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب محاولات حقن SQL التي تستهدف /viewin_costumer.php مع معالجة معامل cos_id

3. فعّل التسجيل والمراقبة الشاملة لجميع استعلامات قاعدة البيانات ومحاولات الوصول إلى نظام المحاسبة

إرشادات التصحيح:

1. اتصل بمورد code-projects فوراً لطلب تصحيحات أمان أو حلول بديلة

2. إذا لم يكن هناك تصحيح متاح، فكر في الهجرة إلى برنامج محاسبة بديل مع دعم أمان نشط

3. طبق التحقق من الإدخال والاستعلامات المعاملة إذا كان لديك إمكانية الوصول إلى الكود المصدري

الضوابط البديلة:

1. طبق التحقق الصارم من الإدخال على معامل cos_id - قائمة بيضاء للقيم الرقمية فقط

2. طبق حسابات مستخدمي قاعدة البيانات بأقل الامتيازات (قراءة فقط حيث أمكن)

3. استخدم حلول مراقبة نشاط قاعدة البيانات (DAM) للكشف والتنبيه عن أنماط SQL المريبة

4. قيّد الوصول إلى نظام المحاسبة باستخدام القوائم البيضاء للعناوين وتطلبات VPN

5. طبق قواعد جدار حماية تطبيقات الويب: احجب الطلبات التي تحتوي على كلمات SQL (UNION, SELECT, DROP, INSERT, UPDATE, DELETE) في معامل cos_id

قواعد الكشف:

1. راقب طلبات HTTP إلى /viewin_costumer.php مع معامل cos_id يحتوي على أحرف SQL الخاصة (', ", ;, --, /*, */)

2. أصدر تنبيهات لرسائل خطأ قاعدة البيانات المرجعة في استجابات HTTP من نظام المحاسبة

3. تتبع أنماط استعلامات قاعدة البيانات غير العادية ومحاولات المصادقة الفاشلة

4. راقب محاولات تسرب البيانات التالية لحقن SQL الناجح

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1 - Information Security Policies and Procedures 5.2 - Access Control and Authentication 5.3 - Cryptography and Data Protection 5.4 - Audit and Accountability 5.5 - Incident Management 5.6 - Business Continuity and Disaster Recovery

🔵 SAMA CSF

Governance (GV) - GV-1: Organizational Context and Objectives Protect (PR) - PR-1: Access Control, PR-2: Data Protection Detect (DT) - DT-1: Anomalies and Events, DT-2: Security Continuous Monitoring Respond (RS) - RS-1: Response Planning, RS-2: Communications

🟡 ISO 27001:2022

A.5.1 - Policies for information security A.6.1 - Internal organization A.8.1 - Asset management A.9.1 - Access control A.12.2 - Logging A.12.4 - Logging and monitoring A.14.2 - Software development

🟣 PCI DSS v4.0.1

Requirement 1 - Install and maintain a firewall configuration Requirement 2 - Do not use vendor-supplied defaults Requirement 6 - Develop and maintain secure systems and applications Requirement 10 - Track and monitor access to network resources

🔗 References & Sources 5

🔗

https://code-projects.org/

cna@vuldb.com

🔗

https://github.com/Xu-Zhihan/CVE/issues/11

cna@vuldb.com

🔗

https://vuldb.com/submit/780199

cna@vuldb.com

🔗

https://vuldb.com/vuln/354183

cna@vuldb.com

🔗

https://vuldb.com/vuln/354183/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-74

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-03-30

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-5150

💬 Comments

Introduce Yourself

Sign In Required