CVE-2026-14648
Received Received - Intake

SQL Injection in Online Voting System

Vulnerability report for CVE-2026-14648, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A security vulnerability has been detected in code-projects Online Voting System up to 0.x/1.0. This issue affects the function test_input of the file /authentication.php of the component Login. Such manipulation of the argument adminUserName/adminPassword leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-05
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_voting_system to 1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14648 is a high-severity SQL Injection vulnerability in the Online Voting System 1.0, specifically in the authentication.php file within the Login component.

The vulnerability occurs because the application uses the htmlspecialchars() function without the ENT_QUOTES flag to sanitize user input, which leaves single quotes unescaped.

This flaw allows attackers to inject malicious SQL code into the adminUserName and adminPassword POST parameters.

An attacker can bypass authentication by sending a crafted POST request with a payload like admin'-- - in the adminUserName field, which closes the SQL string and comments out the password check.

This causes the query to return the admin row without validating the password, granting the attacker full access to the admin panel.

Impact Analysis

Exploitation of this vulnerability allows an attacker to gain unauthorized administrative access to the Online Voting System.

With admin panel access, the attacker can view and manipulate sensitive voter data, election results, and candidate information.

This can lead to data breaches, election tampering, loss of data integrity, and a complete compromise of the voting system's trustworthiness.

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the adminUserName and adminPassword POST parameters of the authentication.php file. A common test is to send a crafted POST request with the payload admin'-- - in the adminUserName field, which attempts to bypass authentication by closing the SQL string and commenting out the password check.

You can use tools like curl or Burp Suite to send such crafted POST requests and observe if unauthorized access is granted.

Example curl command to test the vulnerability:

  • curl -X POST -d "adminUserName=admin'-- -&adminPassword=anything" http://target-site/authentication.php

If the response indicates successful login or access to the admin panel without valid credentials, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include:

  • Replace raw SQL queries with prepared statements using mysqli_prepare() and bind_param() to prevent SQL injection.
  • Hash passwords using password_hash() and verify them with password_verify() instead of storing or comparing plain text passwords.
  • If using htmlspecialchars() for input sanitization, include the ENT_QUOTES flag to ensure single quotes are escaped properly.
  • Restrict access to the authentication.php file and monitor logs for suspicious POST requests targeting adminUserName and adminPassword parameters.
Compliance Impact

The SQL Injection vulnerability in the Online Voting System allows attackers to gain unauthorized admin access, enabling them to view and manipulate sensitive voter data, election results, and candidate information.

Such unauthorized access and potential data manipulation can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Failure to secure the system against this vulnerability may result in non-compliance with these standards, exposing the organization to legal and regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart