Which versions of Online Art Gallery Shop are affected by CVE-2026-3757?

A high-severity vulnerability in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated attackers to exploit an authentication bypass mechanism, potentially compromising customer data and…

Is there a public PoC exploit available for CVE-2026-3757?

Yes, a public proof-of-concept exploit is available for CVE-2026-3757. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-3757?

Within 24 hours: Isolate affected systems from production if possible and enable enhanced logging on the vulnerable endpoint (/?pass=1). Within 7 days: Deploy WAF rules to block suspicious requests to the vulnerable parameter, implement IP whitelisting for administrative access, and assess whether the application is business-critical. Within 30 days: Plan migration to patched versions when available, upgrade to alternative gallery software if the vendor cannot provide timely remediation, or decommission the application entirely if no longer required.

Online Art Gallery Shop CVE-2026-3757

Q: What is the CVSS score of CVE-2026-3757?

CVE-2026-3757 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2026-03-08 cna@vuldb.com

SQLi Online Art Gallery Shop

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 09, 2026 - 16:31 vuln.today

Public exploit code

CVE Published

Mar 08, 2026 - 19:16 nvd

HIGH 7.3

DescriptionCVE.org

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

SQL injection in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate the fnm parameter via the /?pass=1 endpoint, potentially enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request to /?pass=1

Exploit

Inject SQL payload in fnm parameter

Execution

Execute arbitrary SQL commands

Impact

Extract or modify database