CVE-2026-3758 is a SQL injection vulnerability identified in the projectworlds Online Art Gallery Shop version 1.0, affecting the /admin/adminHome.php file. The vulnerability stems from inadequate input validation or sanitization of the 'Info' parameter, which is manipulated to inject arbitrary SQL commands. This flaw allows remote attackers to execute unauthorized SQL queries on the backend database without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact includes potential unauthorized data disclosure, modification, or deletion, compromising confidentiality, integrity, and availability at a limited scope (VC:L/VI:L/VA:L). The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported yet. The vulnerability affects only version 1.0 of the product, and no official patches have been linked or published at this time. Due to the nature of the vulnerability, attackers could leverage it to extract sensitive customer or administrative data, alter records, or disrupt service operations. The vulnerability is classified as medium severity with a CVSS 4.0 score of 6.9, reflecting the ease of exploitation and potential damage. The lack of authentication requirements and remote exploitability make this a significant risk for affected deployments.

The SQL injection vulnerability in projectworlds Online Art Gallery Shop 1.0 can lead to unauthorized access to sensitive data such as customer information, transaction records, and administrative details. Attackers could manipulate database queries to extract confidential data, modify or delete records, or disrupt the availability of the online shop. This could result in financial losses, reputational damage, and regulatory compliance issues for organizations operating the affected software. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker aware of the flaw, increasing the attack surface. The public availability of exploit code further elevates the risk of widespread attacks. Organizations relying on this software for e-commerce or art sales could face data breaches or operational disruptions, impacting customer trust and business continuity.

To mitigate CVE-2026-3758, organizations should immediately assess whether they are running projectworlds Online Art Gallery Shop version 1.0 and restrict access to the /admin/adminHome.php endpoint, ideally limiting it to trusted IP addresses or VPNs. Implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the 'Info' parameter can provide a temporary protective layer. Input validation and parameterized queries should be applied to sanitize all user inputs, especially in administrative interfaces. Since no official patch is currently available, organizations should contact the vendor for updates or consider upgrading to a newer, unaffected version if available. Regularly monitoring logs for suspicious database queries or unusual admin page access can help detect exploitation attempts early. Additionally, applying the principle of least privilege to database accounts used by the application can limit the impact of a successful injection. Backup critical data frequently to enable recovery in case of data corruption or deletion.