Description
A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
Published: 2026-01-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the Online Product Reservation System 1.0 where unsanitized POST parameters prod_id, name, price, model, and serial are incorporated directly into SQL statements within edit.php. This flaw allows an attacker to inject arbitrary SQL and therefore read, modify, or delete arbitrary data in the database. The impact could lead to credential theft, product inventory manipulation, or broader system compromise if database connection has elevated privileges, potentially enabling further attacks.

Affected Systems

The affected product is the Online Product Reservation System released by code-projects, version 1.0. The flaw resides in the administration interface edit.php used by authorized users to modify product details.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability carries a medium‑to‑high risk. The EPSS score of less than 1% indicates a low likelihood of active exploitation, and the vulnerability is not currently catalogued in the CISA KEV list. The attack can be launched remotely by a user who can send crafted POST requests to the vulnerable endpoint, a fact that we infer from the description which mentions remote launch but does not specify authentication requirements. The underlying weaknesses are identified as CWE‑74 (Improper Neutralization of Input) and CWE‑89 (SQL Injection). Given the remote nature of the attack vector and the severe potential for data exfiltration or modification, immediate mitigation is warranted.

Generated by OpenCVE AI on April 18, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the vendor’s patched release that sanitizes input and replaces raw SQL with parameterized queries
  • If a patch is not yet available, restrict POST access to edit.php to the administrator’s IP range and implement input validation to reject non‑numeric or non‑alphanumeric characters in prod_id, name, price, model, and serial
  • Reduce database privileges granted to the application user to the minimum required for normal operation and monitor database logs for suspicious query patterns

Generated by OpenCVE AI on April 18, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Product Reservation System
CPEs cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Product Reservation System

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Product Reservation System
Vendors & Products Code-projects
Code-projects online Product Reservation System

Sun, 04 Jan 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
Title code-projects Online Product Reservation System POST Parameter edit.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Product Reservation System
Fabian Online Product Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:12:35.193Z

Reserved: 2026-01-03T16:01:54.337Z

Link: CVE-2026-0579

cve-icon Vulnrichment

Updated: 2026-01-06T19:29:21.287Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-04T13:15:42.427

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses