CVE-2026-0567 identifies a SQL Injection vulnerability in the code-projects Content Management System version 1.0, specifically within an unknown function in the /pages.php file. The vulnerability arises from improper sanitization of the 'ID' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL commands. This injection can lead to unauthorized database queries, potentially exposing sensitive data, altering or deleting records, or even enabling further compromise of the underlying system. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with attack vector being network-based, no privileges or user interaction required, and partial impacts on confidentiality, integrity, and availability. The exploit code is publicly available, increasing the risk of exploitation, although no active exploitation in the wild has been reported to date. The lack of patches or vendor-provided fixes necessitates immediate attention from administrators. The vulnerability affects only version 1.0 of the CMS, which may limit the scope but still poses a significant risk to organizations relying on this software for content management. The attack surface includes any web-facing instance of the CMS where the vulnerable parameter is accessible.

For European organizations, this vulnerability can lead to unauthorized access to sensitive data stored within the CMS database, including potentially personal data protected under GDPR. Data integrity may be compromised through unauthorized modification or deletion of content, which can disrupt business operations and damage reputation. Availability may also be affected if attackers execute destructive SQL commands or cause database corruption. Organizations in sectors such as government, healthcare, education, and media that rely on this CMS for public-facing websites or internal portals are particularly at risk. The public availability of exploit code increases the likelihood of opportunistic attacks, especially against less maintained or legacy systems. Non-compliance with data protection regulations due to data breaches stemming from this vulnerability could result in significant legal and financial penalties within Europe.

Immediate mitigation should focus on code-level remediation by sanitizing and validating the 'ID' parameter in /pages.php to prevent SQL injection, ideally by implementing parameterized queries or prepared statements. If source code modification is not feasible, deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the vulnerable parameter can provide interim protection. Conduct a thorough audit of all CMS instances to identify affected versions and isolate or restrict access to vulnerable endpoints. Regularly monitor logs for suspicious activity indicative of SQL injection attempts. Organizations should also consider upgrading to a patched or newer version of the CMS once available. Additionally, implement strict access controls and network segmentation to limit exposure of the CMS to only necessary users and systems. Backup critical data regularly to enable recovery in case of data corruption or loss.