CVE-2026-0591 - Vulnerability Details

- code-projects Online Product Reservation System Cart Update update.php sql injection

Description

A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

Published: 2026-01-05

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A software flaw in the 1.0 release of code‑projects Online Product Reservation System permits an attacker to supply crafted id and qty values to the /app/checkout/update.php handler, leading to a SQL injection vulnerability (CWE‑74 and CWE‑89). Because the input is not properly validated before being incorporated into SQL statements, an attacker can execute arbitrary database commands, potentially exposing order details or altering stored records and compromising confidentiality or integrity of transaction data.

Affected Systems

The affected product is code‑projects Online Product Reservation System version 1.0. Systems that expose the /app/checkout/update.php endpoint as part of the cart update handler are at risk. Administrators should verify whether their deployments are using this exact version and whether the vulnerable file is publicly accessible.

Risk and Exploitability

The reported CVSS score of 5.3 indicates moderate severity. The EPSS rating shows that the likelihood of exploitation is low (less than 1%) and the issue is not listed in CISA’s KEV catalog. The vulnerability can be triggered remotely by an external actor through HTTP requests to the vulnerable endpoint. Public proof‑of‑concept code is available, suggesting that an attacker could exploit the flaw from outside the network without elevated credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Product Reservation System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Code-projects	Online Product Reservation System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor patch or upgrade to a version of Online Product Reservation System that addresses the SQL injection flaw.
Modify the cart update code so that id and qty parameters are bound as integers or validated against numeric ranges before being used in SQL statements.
Deploy defensive controls such as a web application firewall or request filtering that blocks suspicious SQL injection patterns targeting the update endpoint.

Generated by OpenCVE AI on April 18, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md#poc
https://vuldb.com/?ctiid.339501
https://vuldb.com/?id.339501
https://vuldb.com/?submit.731129

History

Fri, 09 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fabian Fabian online Product Reservation System
CPEs		cpe:2.3:a:fabian:online_product_reservation_system:1.0:::::::*
Vendors & Products		Fabian Fabian online Product Reservation System

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects online Product Reservation System
Vendors & Products		Code-projects Code-projects online Product Reservation System

Tue, 06 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 05 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Title		code-projects Online Product Reservation System Cart Update update.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md#poc https://vuldb.com/?ctiid.339501 https://vuldb.com/?id.339501 https://vuldb.com/?submit.731129
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Product Reservation System

Fabian Online Product Reservation System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-05T13:02:06.010Z

Updated: 2026-02-23T08:19:12.774Z

Reserved: 2026-01-04T18:06:39.699Z

Link: CVE-2026-0591

Vulnrichment

Updated: 2026-01-05T20:07:50.583Z

NVD

Status : Analyzed

Published: 2026-01-05T14:15:54.507

Modified: 2026-01-09T14:59:07.417

Link: CVE-2026-0591

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T20:30:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object