CVE-2026-0583

Unknown Unknown - Not Provided

SQL Injection in code-projects Online Product Reservation User Login

Publication date: 2026-01-05

Last updated on: 2026-04-29

Assigner: VulDB

Description

A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-01-05

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-01-05

EPSS Evaluated

2026-06-15

NVD

CVE-2026-0583

EUVD

EUVD-2026-0874

Affected Vendors & Products

Vendor	Product	Version / Range
unknown_vendor	online_product_reservation_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a critical SQL injection flaw in the user login functionality of the code-projects Online Product Reservation System version 1.0. It occurs because the application directly concatenates user-supplied input from the 'emailadd' parameter into an SQL query without proper validation or sanitization. This allows attackers to inject malicious SQL code remotely, bypass authentication, and gain unauthorized access to sensitive user data stored in the database. The issue is located in the file app/user/login.php. [1, 2]

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive user data, bypassing authentication mechanisms, and potential manipulation or disruption of the database. It affects the confidentiality, integrity, and availability of the system. Attackers can exploit this remotely without authentication, potentially leading to data breaches and system compromise. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the 'emailadd' parameter in the login functionality (app/user/login.php) for SQL injection. One method is to use SQL injection testing tools or manual injection attempts with payloads such as ' OR '1'='1 to see if authentication can be bypassed. Additionally, attackers can be identified by monitoring for suspicious requests targeting 'app/user/login.php' with unusual input in the 'emailadd' parameter. Google dorking with queries like 'inurl:app/user/login.php' can help identify vulnerable endpoints externally. Specific commands for detection include using curl or sqlmap, for example: curl -X POST -d "emailadd=' OR '1'='1" https://target/app/user/login.php or sqlmap -u "https://target/app/user/login.php" --data="emailadd=test" --risk=3 --level=5. These approaches help confirm if the SQL injection vulnerability exists. [2]

Mitigation Strategies

Immediate mitigation steps include replacing or patching the affected component or product, as no known mitigations or countermeasures have been documented. It is critical to sanitize and validate all user inputs, especially the 'emailadd' parameter in app/user/login.php, to prevent SQL injection. Applying input validation, using prepared statements or parameterized queries, and avoiding direct concatenation of user input into SQL queries are recommended. If patching is not immediately possible, restricting access to the vulnerable login page or implementing Web Application Firewall (WAF) rules to block malicious SQL injection attempts can help reduce risk. [2]

Compliance Impact

The vulnerability allows attackers to bypass authentication and gain unauthorized access to sensitive user data, which can lead to breaches of confidentiality, integrity, and availability of personal information. Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data. Therefore, this vulnerability poses a significant risk to compliance with these regulations. [1, 2]

Hi! I’m here to help you understand CVE-2026-0583. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-0583

SQL Injection in code-projects Online Product Reservation User Login

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart