CVE-2026-5041
Received Received - Intake
Command Injection in Chamber of Commerce CMS fwrite Function

Publication date: 2026-03-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is the function fwrite of the file admin/pageMail.php. The manipulation of the argument mailSubject/mailMessage leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5041
EUVD
EUVD-2026-16985
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects chamber_of_commerce_membership_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5041 is a Remote Code Execution (RCE) vulnerability in the Chamber of Commerce Membership Management System version 1.0. It occurs due to insecure handling of user input in the mail sending functionality, specifically in the file admin/pageMail.php.

When an administrator sends an email, the system writes the mail subject and mail message directly into a dynamically generated PHP file using the fwrite function without proper sanitization. Because PHP double-quoted strings allow complex variable parsing, an attacker can inject arbitrary PHP code through the mail message field.

This injected PHP code is then executed when the generated PHP file is included by another script (admin/pageSender.php), allowing the attacker to run arbitrary commands on the server remotely.

Impact Analysis

This vulnerability allows an attacker to gain full remote code execution capabilities on the affected system.

  • Execute arbitrary system commands.
  • Read, modify, or delete any files on the server.
  • Upload and execute a webshell to maintain persistent access.
  • Pivot within internal networks to compromise additional systems.

Overall, this leads to complete compromise of the underlying system and potentially the broader network environment.

Detection Guidance

This vulnerability can be detected by checking for the presence of the malicious webshell file named 'a.php' in the 'admin/' directory of the Chamber of Commerce Membership Management System.

You can also monitor HTTP requests to the URL path '/admin/a.php' which may indicate exploitation attempts.

Additionally, inspecting the mail sending functionality for suspicious payloads in the mail message or subject fields can help detect attempts to exploit the vulnerability.

  • Check for the webshell file on the server: `ls -l /path/to/admin/a.php`
  • Search web server access logs for requests to the webshell: `grep '/admin/a.php' /var/log/apache2/access.log`
  • Look for suspicious PHP code injection patterns in mail message submissions, for example by reviewing application logs or database entries related to mail content.
Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the mail sending functionality in 'admin/pageMail.php' to prevent injection of malicious payloads.

Remove any existing malicious files such as 'a.php' from the 'admin/' directory to eliminate active webshells.

Restrict administrative access to trusted users only and monitor for suspicious activity.

Apply input validation and sanitization on mail subject and message fields to prevent injection of PHP code.

If possible, update or patch the application to a version that fixes this vulnerability.

Compliance Impact

The vulnerability allows an attacker to achieve remote code execution, leading to full system compromise, including the ability to read, modify, or delete any files and execute arbitrary system commands.

Such a compromise can result in unauthorized access to sensitive personal or protected health information, which may violate data protection regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches, loss of data integrity, and failure to protect confidential information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart