CVE-2026-14735
Received Received - Intake

SQL Injection in Smart Parking System 1.0

Vulnerability report for CVE-2026-14735, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability has been found in code-projects Smart Parking System 1.0. The affected element is an unknown function of the file /parkings/parkings.php. Such manipulation of the argument street/city/status leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects smart_parking_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection flaw found in the Smart Parking System 1.0, specifically in the /parkings/parkings.php file. It occurs because the 'street', 'city', and 'status' parameters are not properly sanitized and are directly concatenated into SQL queries. This allows an attacker to manipulate these inputs to execute arbitrary SQL commands remotely.

Due to the database user having root-level privileges with FILE access, attackers can perform advanced SQL Injection techniques such as UNION-based and Time-based Blind SQL Injection. This enables them to enumerate the entire database, disclose sensitive credentials including admin credentials, and read arbitrary files on the server's operating system.

The vulnerability was confirmed using tools like Burp Suite and sqlmap, showing the ability to extract sensitive data such as the /etc/passwd file and admin credentials from the 'smart_users' table.

Impact Analysis

This vulnerability can have severe impacts including full database compromise and potential full server compromise. Attackers can extract sensitive information such as user credentials, including administrator accounts, which can lead to unauthorized access and control over the system.

Additionally, attackers can read arbitrary files on the server, potentially exposing system files and other sensitive data. This can lead to data breaches, loss of data integrity, and availability issues.

The vulnerability is remotely exploitable without any authentication, increasing the risk and ease of attack.

Detection Guidance

This SQL Injection vulnerability in the Smart Parking System can be detected by testing the POST endpoint /Smart-parking/parkings/parkings.php, specifically targeting the 'street', 'city', and 'status' parameters for injection flaws.

Automated tools such as sqlmap and Burp Suite can be used to confirm the vulnerability by attempting to extract database information or perform time-based blind SQL injection attacks.

  • Use sqlmap with a command like: sqlmap -u "http://target/Smart-parking/parkings/parkings.php" --data="street=value&city=value&status=value" --risk=3 --level=5 --batch
  • Use Burp Suite to intercept and modify POST requests to the vulnerable endpoint, injecting SQL payloads into the 'street', 'city', or 'status' parameters to observe database error messages or time delays.
Mitigation Strategies

Immediate mitigation steps include applying input validation and sanitization to all user inputs, especially the 'street', 'city', and 'status' parameters.

Replace vulnerable SQL query concatenations with parameterized queries or prepared statements to prevent injection.

Remove excessive database privileges from the database user, especially FILE access, to limit the impact of a successful injection.

Implement a Web Application Firewall (WAF) to detect and block SQL injection patterns targeting the application.

Compliance Impact

The SQL Injection vulnerability in the Smart Parking System allows attackers to perform full database enumeration, credential disclosure including admin credentials, and arbitrary file reads on the server. This exposure of sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information. Unauthorized access and disclosure of user data can result in non-compliance with these standards, potentially leading to legal and financial penalties.

Remediation steps such as using parameterized queries, removing excessive database privileges, applying input validation, and implementing a Web Application Firewall are critical to restoring compliance and protecting sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart