Description
A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-01-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection impacting confidentiality and integrity
Action: Patch
AI Analysis

Impact

This vulnerability arises from unsanitized input handling in the prod.php component of the Online Product Reservation System. By manipulating the cat, price, name, model, or serial arguments, an attacker can inject arbitrary SQL statements. The flaw can lead to unauthorized data extraction, modification, or deletion, thereby compromising the confidentiality, integrity, and availability of the underlying database.

Affected Systems

The affected system is the code-projects Online Product Reservation System version 1.0. No other software versions or product lines were listed in the CNA data.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests a low exploit probability at the time of publication. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Remote exploitation is possible, as indicated by the CNA description, meaning that an attacker could reach the vulnerable endpoint over the network. The likelihood of attack remains modest, but the impact is substantial if the flaw is leveraged.

Generated by OpenCVE AI on April 18, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify and apply any vendor-supplied patch or update for Online Product Reservation System 1.0 that addresses the prod.php SQL injection.
  • If no patch is available, restrict network access to the admin interface containing prod.php to trusted IP ranges or VPN, effectively limiting the attack surface.
  • Implement input validation or parameterized queries for the cat, price, name, model, and serial parameters to prevent future injection attempts.
  • Conduct a code audit of the Parameter Handler component to identify any other potential injection or related weaknesses.

Generated by OpenCVE AI on April 18, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Fri, 09 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Product Reservation System
CPEs cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Product Reservation System

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Product Reservation System
Vendors & Products Code-projects
Code-projects online Product Reservation System

Sun, 04 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title code-projects Online Product Reservation System Parameter prod.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Product Reservation System
Fabian Online Product Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:11:56.706Z

Reserved: 2026-01-03T16:01:43.656Z

Link: CVE-2026-0576

cve-icon Vulnrichment

Updated: 2026-01-06T19:47:26.692Z

cve-icon NVD

Status : Modified

Published: 2026-01-04T09:15:40.473

Modified: 2026-02-23T09:16:32.453

Link: CVE-2026-0576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses