CVE-2026-0565 identifies a SQL Injection vulnerability in version 1.0 of the code-projects Content Management System (CMS). The flaw exists in the /admin/delete.php script, where the 'del' parameter is improperly sanitized, allowing attackers to inject malicious SQL commands. This injection can be performed remotely without authentication or user interaction, making it accessible to a wide range of attackers. The vulnerability can lead to unauthorized data access, modification, or deletion within the backend database, compromising confidentiality and integrity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild, the availability of exploit code increases the likelihood of attacks. The CMS is typically used for website content management, and the administrative interface is a high-value target. The vulnerability highlights the importance of secure coding practices, especially input validation and use of parameterized queries to prevent SQL injection.

For European organizations using code-projects CMS version 1.0, this vulnerability could lead to unauthorized access to sensitive data stored in backend databases, including user information, content, and administrative data. Attackers could manipulate or delete data, disrupt website functionality, or escalate attacks to compromise other systems. This is particularly impactful for organizations in sectors such as government, finance, healthcare, and critical infrastructure where data integrity and confidentiality are paramount. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if administrative interfaces are exposed to the internet. Data breaches resulting from this vulnerability could lead to regulatory penalties under GDPR, reputational damage, and operational disruptions. The medium severity rating suggests a significant but not catastrophic impact, emphasizing the need for timely remediation.

1. Immediately restrict access to the /admin/delete.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to administrative interfaces. 2. Apply patches or updates from the vendor as soon as they become available; if no official patch exists, consider disabling the vulnerable functionality temporarily. 3. Implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'del' parameter. 4. Conduct a thorough code review of the CMS to identify and remediate other potential injection points by enforcing parameterized queries and proper input validation. 5. Monitor logs for suspicious activity related to the 'del' parameter and unusual database queries. 6. Educate administrators on the risks of exposing administrative endpoints publicly and encourage use of multi-factor authentication and strong access controls. 7. Consider migrating to a more secure or actively maintained CMS if code-projects CMS 1.0 is no longer supported.