Listen to this Post
The vulnerability, identified as CVE-2026-3759, is an unauthenticated SQL injection flaw found in the `reach_nm` parameter within the `/admin/adminHome.php` file of projectworlds Online Art Gallery Shop version 1.0. The core issue stems from the application’s failure to properly sanitize user-supplied input before incorporating it into an SQL query. Specifically, when a remote attacker manipulates the `reach_nm` argument, they can inject arbitrary SQL code. This allows the attacker to interfere with the queries the application makes to its backend database . The attack can be executed remotely without any prior authentication, leveraging the publicly disclosed exploit . The vulnerability is rooted in common injection weaknesses (CWE-89 and CWE-74) . With a CVSS base score of 6.9 (Medium) in version 4.0, its vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates low attack complexity and no required privileges or user interaction, but only partial impacts to confidentiality, integrity, and availability .
dailycve form:
Platform: projectworlds Online Art Gallery Shop
Version: 1.0
Vulnerability : SQL Injection
Severity: Medium
date: March 8 2026
Prediction: Vendor patch unlikely
What Undercode Say:
Analytics:
The vulnerability is highly accessible (network vector, low complexity) and requires no authentication or user interaction. Its public exploit status (E:P) increases the immediate risk of widespread scanning and automated attacks. The moderate CVSS score (6.9) reflects limited impact to each security attribute (Low) and no scope change, but combined with ease of exploitation, it presents a significant threat to data confidentiality and integrity for unpatched instances.
Exploit:
A remote attacker can exploit this by sending a crafted HTTP request to the `/admin/adminHome.php` endpoint. The malicious payload is injected into the `reach_nm` parameter. A basic proof-of-concept example would be:
curl -X POST "http://<target-victim-site>/admin/adminHome.php" -d "reach_nm=1' OR '1'='1"
More sophisticated SQL commands could be used to enumerate database tables, extract user credentials, or modify database content .
Protection from this CVE:
The primary protection is to sanitize all user inputs. Implement parameterized queries (prepared statements) in the code for database interactions to ensure user input is treated as data, not executable code. Deploy a Web Application Firewall (WAF) to filter out malicious SQL injection patterns. As a workaround, disable remote access to the admin panel or restrict access by IP address until a patch is applied .
Impact:
Successful exploitation allows an unauthenticated remote attacker to read, modify, or delete arbitrary data within the application’s database. This could lead to unauthorized access to administrative credentials, defacement of the website, theft of sensitive information, and potential compromise of the underlying server if the database user has high privileges .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

