CVE-2026-2176
SQL Injection in Contact Management System index.py Allows Remote Attack
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | contact_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2176 is a SQL injection vulnerability found in version 1.0 of the code-projects Contact Management System, specifically in the file index.py.
The vulnerability occurs because the argument selecteditem[0] is used unsafely to construct SQL commands without proper neutralization or parameterization, allowing an attacker to inject malicious SQL code.
This flaw allows remote attackers to manipulate SQL queries executed on the local SQLite database, potentially compromising the system.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary SQL commands on the database, which stores sensitive personal information such as first name, last name, address, and contact details.
Potential impacts include unauthorized deletion, modification, or disclosure of personally identifiable information (PII), affecting the confidentiality, integrity, and availability of your data.
Since the attack can be executed remotely and the exploit is relatively easy, it poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises from unsafe construction of SQL DELETE statements in the Contact Management System's index.py file, specifically using string interpolation with the selecteditem[0] value. Detection involves identifying if the system uses such vulnerable code patterns."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can review the source code for unsafe SQL query construction, especially looking for SQL commands built using string formatting or concatenation with user-controlled inputs without parameterization.'}, {'type': 'paragraph', 'content': 'Since the vulnerable code uses SQLite and Python, you can search for the following pattern in the codebase:'}, {'type': 'list_item', 'content': 'cursor.execute("DELETE FROM `member` WHERE `mem_id` = %d" % selecteditem[0])'}, {'type': 'paragraph', 'content': 'For runtime detection, monitor database queries for suspicious or malformed SQL commands that could indicate injection attempts.'}, {'type': 'paragraph', 'content': 'No specific network commands or signatures are provided, but you can use general SQL injection detection tools or scripts to test the application by injecting SQL payloads into the selecteditem[0] input if accessible.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known countermeasures or mitigations have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected component or product with an alternative that does not contain this vulnerability.'}, {'type': 'paragraph', 'content': 'In the meantime, if you have access to the source code, modify the vulnerable SQL query to use parameterized queries instead of string formatting to prevent SQL injection.'}, {'type': 'list_item', 'content': 'Change the vulnerable code from: cursor.execute("DELETE FROM `member` WHERE `mem_id` = %d" % selecteditem[0])'}, {'type': 'list_item', 'content': 'To a parameterized query like: cursor.execute("DELETE FROM `member` WHERE `mem_id` = ?", (selecteditem[0],))'}, {'type': 'paragraph', 'content': 'Additionally, restrict access to the application and monitor for suspicious activity to reduce risk until a full fix or replacement is implemented.'}] [1, 2]