Is there a public PoC exploit available for CVE-2026-5666?

Yes, a public proof-of-concept exploit is available for CVE-2026-5666. Prioritise patching immediately. EPSS: 0.0%.

Online Fir System CVE-2026-5666

Q: What is the CVSS score of CVE-2026-5666?

CVE-2026-5666 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19364 MEDIUM

Insecure Storage of Sensitive Information (CWE-922)

2026-04-06 VulDB

GHSA-jhff-3rr5-hh56

Information Disclosure Online Fir System

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 16:00 euvd

EUVD-2026-19364

Analysis Generated

Apr 06, 2026 - 16:00 vuln.today

CVE Published

Apr 06, 2026 - 15:30 nvd

MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be performed from remote. The exploit is now public and may be used.

AnalysisAI

Code-Projects Online FIR System 1.0 stores sensitive database backup files insecurely, allowing unauthenticated remote attackers to access the /complaints.sql backup file and disclose confidential information. The CVSS 5.5 score reflects low confidentiality impact but network-accessible exposure; publicly available exploit code exists, elevating practical risk despite the moderate score.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Although the CVSS 5.5 score is moderate, multiple risk signals elevate practical priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the Code-Projects Online FIR System deployment and discovers the publicly accessible /complaints.sql file via directory enumeration or web crawler. Using the publicly available exploit code from GitHub (https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Online%20FIR%20System%20PHP%20Exposed%20Database%20Backup.md), the attacker downloads the unprotected SQL backup file without authentication, extracting database credentials, user accounts, and potentially thousands of FIR complaints containing personal information, investigation details, and sensitive police operations data for further exploitation or sale.
Remediation	Immediately move or delete the /complaints.sql backup file from the web-accessible directory and restrict database backup file storage to non-web-accessible locations with appropriate filesystem permissions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5666 vulnerability details – vuln.today

Back