{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7143", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T19:47:19.866Z", "datePublished": "2026-04-27T17:15:10.526Z", "dateUpdated": "2026-04-27T17:59:01.101Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T17:15:10.526Z"}, "title": "1000 Projects Portfolio Management System MCA block_status.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "1000 Projects", "product": "Portfolio Management System MCA", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T21:52:29.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "9str0il (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359742", "name": "VDB-359742 | 1000 Projects Portfolio Management System MCA block_status.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359742/cti", "name": "VDB-359742 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801607", "name": "Submit #801607 | 1000 Projects portfolio-management-system v1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/9str0IL/CVE/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://1000projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T17:58:50.328653Z", "id": "CVE-2026-7143", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:59:01.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7143", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T17:58:50.328653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:58:56.692Z"}}], "cna": {"tags": ["x_freeware"], "title": "1000 Projects Portfolio Management System MCA block_status.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "9str0il (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "1000 Projects", "product": "Portfolio Management System MCA", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T21:52:29.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359742", "name": "VDB-359742 | 1000 Projects Portfolio Management System MCA block_status.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359742/cti", "name": "VDB-359742 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801607", "name": "Submit #801607 | 1000 Projects portfolio-management-system v1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/9str0IL/CVE/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://1000projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T17:15:10.526Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7143", "state": "PUBLISHED", "dateUpdated": "2026-04-27T17:59:01.101Z", "dateReserved": "2026-04-26T19:47:19.866Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T17:15:10.526Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used."}], "id": "CVE-2026-7143", "lastModified": "2026-04-27T18:35:53.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T18:16:56.397", "references": [{"source": "cna@vuldb.com", "url": "https://1000projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/9str0IL/CVE/issues/3"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/801607"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359742"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359742/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "Portfolio Management System MCA", "source": "cna", "vendor": "1000 Projects"}, "product": "portfolio_management_system_mca", "vendor": "1000projects"}], "analysis": {"en": {"generated_at": "2026-04-28T12:59:46.938678+00:00", "value": {"mitigation_remediation": ["Apply the official vendor patch for 1000 Projects Portfolio Management System MCA if it is available.", "If a patch is not yet released, restrict direct access to /admin/block_status.php to trusted administrative users only, using authentication and role\u2011based controls.", "Implement input validation or switch to parameterized queries to prevent unsanitized SQL input from reaching the database.", "Deploy Web Application Firewall (WAF) rules that detect and block typical SQL injection payloads targeting the q parameter."], "summary": {"action": "Apply Patch", "impact": "Remote SQL injection that can lead to unauthorized data access or modification."}, "threat_synthesis": {"affected_systems": "The affected product is 1000 Projects Portfolio Management System MCA up to version 1.0. The vulnerability is tied to theadmin/block_status.php file. No additional product versions are listed, so any deployment of the specified version remains at risk.", "description_and_impact": "The vulnerability exists in the administrative block_status.php file of 1000 Projects Portfolio Management System MCA version 1.0 or earlier. An attacker can supply a crafted value for the query parameter q, causing the unescaped input to be incorporated directly into an SQL statement. This permits remote execution of arbitrary SQL queries, potentially allowing the attacker to read, modify, or delete database records. The weakness is identified as CWE-89. The vulnerability score of 5.3 indicates moderate severity, with the attack vector being remote.", "risk_and_exploitability": "Because the flaw permits remote SQL injection and the exploit code is publicly available, the likelihood of exploitation is significant. The CVSS score of 5.3 reflects moderate impact, but the absence of an EPSS score leaves precise probability estimates uncertain. The vulnerability is not yet listed in the CISA KEV catalog, though this does not eliminate the risk of abuse. Mitigation requires immediate vendor remediation or workarounds to prevent unauthenticated attackers from reaching the vulnerable endpoint."}}}}, "created": "2026-04-28T03:45:20.094492+00:00", "updated": "2026-04-28T13:00:15.257240+00:00", "vendors": ["1000projects", "1000projects$PRODUCT$portfolio_management_system_mca"]}