CVE-2026-6004: SQL Injection in Simple IT Discussion Forum Delete Category
A SQL injection vulnerability tracked as CVE-2026-6004 has been disclosed in code-projects Simple IT Discussion Forum 1.0, a PHP-based open-source forum application. The flaw exists in the category deletion handler and is remotely exploitable without authentication privileges, making it a meaningful risk for any publicly accessible deployment.
The vulnerability was assigned a CVSS v3.1 score of 7.3 (High) and classified under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6004 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | code-projects Simple IT Discussion Forum 1.0 |
| Vulnerable File | /delete-category.php |
| Vulnerable Parameter | cat_id |
| Attack Vector | Network (Remote) |
| Authentication Required | Low |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability resides in the category deletion endpoint of the forum application. When a request is made to /delete-category.php, the application accepts the cat_id parameter and passes it directly into a SQL query without adequate sanitization or use of parameterized statements.
Exploitation Mechanism
An attacker who can reach the endpoint — through a publicly exposed admin panel or authenticated forum session — can inject arbitrary SQL via the cat_id parameter:
/delete-category.php?cat_id=1' OR '1'='1
/delete-category.php?cat_id=1 UNION SELECT NULL,NULL,NULL--
Successful exploitation could allow:
- Database enumeration — extraction of all tables including user credentials, posts, and session tokens
- Authentication bypass — if the injected query affects session validation logic
- Data deletion or modification — manipulation of forum categories, posts, or user records
- Credential harvesting — exposure of hashed or plaintext passwords stored in the database
Attack Flow
1. Attacker identifies an internet-facing Simple IT Discussion Forum installation
2. Attacker probes /delete-category.php with crafted cat_id values
3. Injected SQL payload is concatenated directly into the backend query
4. Database responds with out-of-band data or confirms blind injection via timing
5. Attacker extracts user credentials, posts, and admin session tokens
6. With harvested credentials, attacker achieves admin-level forum access
Affected Software Context
code-projects is an educational PHP application repository widely used by students and small developers learning web programming. The Simple IT Discussion Forum 1.0 is one of many free forum applications distributed for learning purposes.
Despite their educational intent, these applications are frequently deployed in real environments — sometimes by small IT teams or academic labs — without security hardening. Multiple CVEs have been disclosed against code-projects applications in recent months, pointing to a systemic pattern of unparameterized SQL queries across their PHP codebase. This CVE is related to a broader cluster of SQL injection disclosures affecting various endpoints in the same software version, including edit-category.php and other administrative handlers.
Remediation
Immediate Steps
No official patch has been released. Operators running this software should take the following steps:
- Restrict access — Block
/delete-category.php(and other admin endpoints) from public internet access via firewall rules,.htaccesscontrols, or network-level ACLs - Deploy a WAF — Use ModSecurity, Cloudflare WAF, or equivalent with SQL injection detection rules enabled
- Parameterize queries — Replace raw string concatenation with PDO or MySQLi prepared statements across the application
- Rotate credentials — Treat any internet-accessible deployment as compromised and rotate all database and application credentials
- Audit logs — Review server access logs for unusual requests to
/delete-category.phpwith non-integercat_idvalues
Code-Level Fix
The root cause is direct parameter interpolation. Replacing the vulnerable pattern with a prepared statement eliminates the injection surface:
// Vulnerable pattern
$query = "DELETE FROM categories WHERE cat_id = " . $_GET['cat_id'];
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("DELETE FROM categories WHERE cat_id = ?");
$stmt->execute([$_GET['cat_id']]);Impact Assessment
| Impact Area | Description |
|---|---|
| Data Exposure | All database tables accessible via UNION-based injection |
| Credential Theft | User and admin credentials extractable from the database |
| Data Destruction | Forum categories and posts can be deleted or manipulated |
| Authentication Bypass | SQL logic manipulation may bypass admin login checks |
| Deployment Risk | Public exploit available; exploitability depends on internet exposure |
Key Takeaways
- CVE-2026-6004 is a CVSS 7.3 SQL injection in code-projects Simple IT Discussion Forum 1.0 affecting
/delete-category.php - The
cat_idparameter is passed unsanitized into a SQL DELETE query, enabling full database manipulation - A public exploit has been released, making exploitation accessible to low-skill attackers
- No official patch exists — access restriction and WAF deployment are the primary near-term mitigations
- This is part of a broader pattern of SQL injection vulnerabilities across code-projects PHP applications — treat any deployment as requiring a dedicated security review before production use