CVE-2026-5839
Received Received - Intake
SQL Injection in PHPGurukul News Portal /admin/add-subcategory.php

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in PHPGurukul News Portal Project 4.1. This issue affects some unknown processing of the file /admin/add-subcategory.php. Such manipulation of the argument sucatdescription leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5839
EUVD
EUVD-2026-20848
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul news_portal_project 4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-5839 vulnerability is a critical SQL injection flaw in the PHPGurukul News Portal Project version 4.1, specifically in the /admin/add-subcategory.php file.

It arises from improper handling of the 'sucatdescription' parameter, which is incorporated directly into SQL queries without proper sanitization or validation.

This allows attackers to inject malicious SQL code remotely, potentially leading to unauthorized database access, data leakage, data manipulation, full system compromise, and service disruption.

The vulnerability was confirmed using a time-based blind SQL injection technique targeting MySQL versions 5.0.12 and above.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to the database, allowing attackers to leak sensitive data, manipulate or delete data, and potentially take full control of the affected system.

This can result in service disruption, loss of data integrity, and compromise of the overall security of the application and its backend systems.

Detection Guidance

This vulnerability can be detected by testing the /admin/add-subcategory.php endpoint for SQL injection in the sucatdescription POST parameter.

A common detection method is to use a time-based blind SQL injection payload that causes a delay in the database response, confirming the injection point.

An example of such a payload is: category=3&subcategory=11&sucatdescription=22' AND (SELECT 6391 FROM (SELECT(SLEEP(5)))JACQ) AND 'xcbW'='xcbW&submitsubcat=

You can send a crafted POST request to /newsportal/admin/add-subcategory.php with this payload and observe if the response is delayed by approximately 5 seconds, indicating vulnerability.

For example, using curl command:

  • curl -X POST -d "category=3&subcategory=11&sucatdescription=22' AND (SELECT 6391 FROM (SELECT(SLEEP(5)))JACQ) AND 'xcbW'='xcbW&submitsubcat=" http://target/newsportal/admin/add-subcategory.php -v --max-time 10

If the response time is significantly longer than usual, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement prepared statements with parameter binding to separate SQL code from user input, preventing SQL injection.
  • Perform strict input validation and filtering to ensure that inputs conform to expected formats and do not contain malicious code.
  • Restrict database user permissions to the minimum necessary, avoiding the use of high-privilege accounts for routine operations.

These measures are critical to protect system security and maintain data integrity against exploitation of this SQL injection vulnerability.

Compliance Impact

The SQL injection vulnerability in PHPGurukul News Portal Project 4.1 allows unauthorized database access, data leakage, and data manipulation. Such unauthorized access and potential exposure of sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Failure to properly secure the application against this vulnerability could result in breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements for data protection and potentially leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart