CVE-2026-0585
SQL Injection in code-projects Reservation System /order_view.php
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_product_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw in the code-projects Online Product Reservation System version 1.0. It exists in the /order_view.php file, specifically in the GET parameter handler for the 'transaction_id' parameter. The application directly concatenates this parameter into an SQL query without proper input validation or sanitization, allowing an attacker to inject malicious SQL code remotely. This can lead to unauthorized access to sensitive order and customer data. [2, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to extract sensitive information such as order details and customer data from the database. It compromises the confidentiality, integrity, and availability of the system. Since the attack can be executed remotely without authentication, it poses a significant security risk, potentially leading to data breaches and unauthorized data manipulation. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for instances of the vulnerable script using Google dorking with queries such as `inurl:order_view.php` to identify potentially affected targets. Additionally, monitoring HTTP requests for suspicious or crafted inputs in the `transaction_id` GET parameter that could indicate SQL injection attempts may help detect exploitation attempts. Specific commands are not provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component or product, as no known mitigations or countermeasures have been reported. It is critical to avoid using the vulnerable version 1.0 of the code-projects Online Product Reservation System or to apply patches if available. Additionally, implementing input validation and sanitization on the `transaction_id` parameter to prevent SQL injection is recommended. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform SQL injection to extract sensitive order information and customer data from the database, which could lead to unauthorized access and data breaches. Such breaches may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. However, no specific compliance impact or regulatory references are detailed in the provided resources. [2, 3]