CVE-2026-13559

Received Received - Intake

SQL Injection in Real State Services

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description

A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-list_sale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-13559

EUVD

EUVD-2026-40070

Affected Vendors & Products

Vendor	Product	Version / Range
code-projects	real_state_services	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL injection flaw found in the Real State Services 1.0 application, specifically in the single-list_sale.php file's add action. It occurs because the application does not properly validate the 'id' parameter, allowing attackers to inject malicious SQL code.

An attacker can exploit this vulnerability remotely without authentication by manipulating the 'id' argument to execute unauthorized SQL queries on the database.

Different types of SQL injection attacks are possible, including boolean-based blind, error-based, time-based blind, and UNION query attacks.

Impact Analysis

Exploiting this vulnerability can lead to unauthorized access to sensitive data stored in the database.

Attackers can manipulate or alter data, potentially causing data corruption or loss.

The vulnerability may allow attackers to gain control over the system or disrupt services, impacting availability.

Since no authentication is required, the risk of exploitation is higher.

Detection Guidance

This SQL injection vulnerability in Real State Services 1.0 can be detected by testing the 'id' parameter in the /single-list_sale.php?action=add endpoint for SQL injection flaws.

Use SQL injection testing tools or manual payloads such as boolean-based blind, error-based, time-based blind, and UNION query attacks against the 'id' parameter.
Example command using curl to test for SQL injection: curl "http://target/single-list_sale.php?action=add&id=1' OR '1'='1"
Use automated scanners like sqlmap with a command such as: sqlmap -u "http://target/single-list_sale.php?action=add&id=1" --batch

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements and strict input validation on the 'id' parameter to prevent SQL injection.

Minimize database permissions to limit the impact of a potential injection.
Conduct regular security audits and code reviews focusing on input handling.
If possible, apply patches or updates provided by the vendor or developer.

Compliance Impact

The SQL injection vulnerability in Real State Services 1.0 allows unauthorized access to sensitive data and data manipulation without authentication. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Failure to mitigate this vulnerability could result in exposure of personal data, violating confidentiality and integrity requirements mandated by these standards, potentially leading to legal and financial consequences.

Hi! I’m here to help you understand CVE-2026-13559. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in Real State Services

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart