Description
A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-01-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the User Registration Handler script register_code.php of Online Product Reservation System 1.0. By carefully crafting values for the fields fname, lname, address, city, province, country, zip, tel_no, email, and username, an attacker can inject arbitrary SQL into the backend. The vulnerability is a classic SQL injection, matching CWE‑74 and CWE‑89. Successful exploitation would give the attacker read, modify or delete privileges in the database, undermining confidentiality, integrity, and potentially availability of the reservation system.

Affected Systems

Affected systems are primarily the code‑projects Online Product Reservation System version 1.0. No other versions or components were noted in the CNA data.

Risk and Exploitability

According to the CVSS score of 6.9, the vulnerability provides moderate to high impact. The EPSS score of less than 1% indicates low, but not negligible, likelihood of exploitation under current conditions. The vulnerability is not yet listed in the CISA KEV catalog, yet public proof‑of‑concept code is available, so the attack can be initiated remotely with minimal prerequisites. The attack path simply involves submitting manipulated form data to the registration endpoint, which is reachable from the Internet.

Generated by OpenCVE AI on April 18, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Online Product Reservation System if an update is released by code-projects
  • Enforce strict input validation and use prepared statements or parameterized queries to eliminate injection points
  • Deploy a web application firewall or intrusion detection system tuned to block SQL injection payloads
  • Monitor database access logs and application logs for abnormal queries and terminate suspicious sessions

Generated by OpenCVE AI on April 18, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Product Reservation System
CPEs cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Product Reservation System

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Product Reservation System
Vendors & Products Code-projects
Code-projects online Product Reservation System

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Online Product Reservation System User Registration register_code.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Product Reservation System
Fabian Online Product Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:19:25.599Z

Reserved: 2026-01-04T18:06:42.638Z

Link: CVE-2026-0592

cve-icon Vulnrichment

Updated: 2026-01-05T20:07:10.222Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-05T14:15:54.700

Modified: 2026-01-09T15:02:39.510

Link: CVE-2026-0592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses