projectworlds Online Art Gallery Shop, SQL Injection, CVE-2026-3758 (MEDIUM)

Listen to this Post

The vulnerability arises from insufficient sanitization of the “Info” parameter within the `/admin/adminHome.php` script of projectworlds Online Art Gallery Shop version 1.0. An attacker can manipulate this input to inject arbitrary SQL code into the backend database query. Because the application fails to properly neutralize special elements, the injected SQL can modify the structure of the intended query. This allows a remote, unauthenticated attacker to bypass application logic and execute arbitrary SQL commands. The public availability of exploit code lowers the barrier for successful attacks. The impact is partial loss of confidentiality, integrity, and availability, as an attacker could extract sensitive data, modify database content, or potentially execute administrative operations. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

dailycve form:

Platform: Projectworlds
Version: 1.0
Vulnerability: SQL Injection
Severity: MEDIUM
date: 08/03/2026

Prediction: 30-60 days

What Undercode Say:

Analytics:

The vulnerability can be detected by fuzzing the `Info` parameter. The following `curl` command tests for basic SQL injection by attempting to cause a time delay.

curl -i "http://<target>/admin/adminHome.php?Info=1' OR SLEEP(5)-- -"

A more precise method involves using `sqlmap` to automate the discovery and exploitation.

sqlmap -u "http://<target>/admin/adminHome.php?Info=1" --batch --dbs

Exploit:

A manual exploit can leverage a UNION-based attack to extract data. The example below retrieves the database version.

-- Determine the number of columns required for the UNION. Assuming 3 columns for this example.
http://<target>/admin/adminHome.php?Info=1' UNION ALL SELECT 1,2,sqlite_version()-- -

Protection from this CVE:

The primary protection is to implement parameterized queries (prepared statements) in the backend code for adminHome.php. Input validation should also be applied to the `Info` parameter, strictly defining allowed characters. As a temporary workaround, a Web Application Firewall (WAF) can be configured with rules to block common SQLi patterns.

Impact:

Successful exploitation leads to unauthorized read access to the entire database, potentially exposing user credentials and gallery data. An attacker could also modify or delete records, leading to data integrity loss and potential defacement of the application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top