CVE-2026-0578
SQL Injection in code-projects Online Product Reservation System
Publication date: 2026-01-04
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_product_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0578 is a critical SQL injection vulnerability in version 1.0 of the code-projects Online Product Reservation System. It affects the file /handgunner-administrator/delete.php, where the ID parameter is improperly handled, allowing attackers to inject malicious SQL code. This happens because the application concatenates user input directly into SQL queries without proper validation or neutralization, enabling attackers to alter the intended database commands. The vulnerability can be exploited remotely without authentication, making it highly accessible. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. Attackers can execute arbitrary SQL commands, which may allow them to extract sensitive information, delete or modify database records, and disrupt normal operations. Since the exploit is publicly available and requires no authentication, it poses a significant risk of unauthorized data access and data loss. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/handgunner-administrator/delete.php` and testing the `ID` parameter for SQL injection. One method is to use Google dorking with the query `inurl:handgunner-administrator/delete.php` to identify potentially vulnerable targets. For direct testing, you can use tools like sqlmap or manual curl commands to inject SQL payloads into the `ID` parameter and observe the response for SQL errors or unexpected behavior. Example command using curl: `curl 'http://target/handgunner-administrator/delete.php?ID=1'` and then try injecting SQL payloads such as `1' OR '1'='1`. Automated tools like sqlmap can be run as: `sqlmap -u 'http://target/handgunner-administrator/delete.php?ID=1' --risk=3 --level=5` to detect SQL injection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component with an alternative product, as no known countermeasures or patches are currently available. Additionally, restricting access to the vulnerable file `/handgunner-administrator/delete.php` via network controls or web application firewall (WAF) rules can help reduce exposure. Monitoring and blocking suspicious requests targeting the `ID` parameter may also help. Ultimately, applying secure coding practices such as input validation and parameterized queries in the source code is necessary for a permanent fix. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform SQL injection attacks that can compromise the confidentiality, integrity, and availability of the system's data. Such unauthorized access and manipulation of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by exposing sensitive data to potential compromise. [1, 3]