CVE-2026-4970

MEDIUM

code-projects Social Networking Site Endpoint delete_photos.php sql injection

Title source: cna

Description

A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file delete_photos.php of the component Endpoint. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/?id.353857

[Signature, Permissions Required] https://vuldb.com/?ctiid.353857

[Third Party Advisory] https://vuldb.com/?submit.777870

[Exploit] https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Social%20Networking%20Site%20v1.0%20delete_photos.php.md

View Exploit ZIP pw:eip

[Product] https://code-projects.org/

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

code-projects/Social Networking Site 1.0

Published Mar 27, 2026

Tracked Since Mar 29, 2026