Description
A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-01-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in the Online Product Reservation System allows an attacker to manipulate the transaction_id parameter in /order_view.php, leading to a classic SQL injection. The vulnerability arises from unsanitized input being directly incorporated into database queries, permitting data extraction or modification. The impact includes potential disclosure of customer data, transaction details, and the ability to alter or delete records if the database user has sufficient privileges.

Affected Systems

Affected product is code-projects Online Product Reservation System version 1.0. The vulnerability is present in the GET parameter handling component of the order_view.php module. No other versions or components are cited as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog, implying limited or no known targeted exploitation. Attackers can trigger the flaw remotely by crafting a malicious URL that includes a specially crafted transaction_id value.

Generated by OpenCVE AI on April 18, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available release of the Online Product Reservation System that contains the vendor‑provided fix for the order_view.php SQL injection. If no official patch exists, proceed to the next steps.
  • Validate the transaction_id parameter to accept only numeric values, or implement a strict whitelist before it is incorporated into SQL statements.
  • Refactor the database access code to use prepared statements or parameterized queries so that user‑supplied data is never concatenated with SQL command text.
  • Restrict access to order_view.php to authenticated users with appropriate privileges and monitor for anomalous transaction_id patterns.

Generated by OpenCVE AI on April 18, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Product Reservation System
CPEs cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Product Reservation System

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Product Reservation System
Vendors & Products Code-projects
Code-projects online Product Reservation System

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Online Product Reservation System GET Parameter order_view.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Product Reservation System
Fabian Online Product Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:14:20.055Z

Reserved: 2026-01-04T07:01:42.324Z

Link: CVE-2026-0585

cve-icon Vulnrichment

Updated: 2026-01-05T20:31:02.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-05T10:15:58.653

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:30:09Z

Weaknesses