Description
A vulnerability has been found in code-projects Real State Services 1.0. This impacts an unknown function of the file /loginuser.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection that originates from improper handling of the Username argument within /loginuser.php of the Login component. An attacker can manipulate this parameter to inject arbitrary SQL, potentially reading, modifying, or deleting data in the backend database. This flaw allows remote exploitation, meaning that a malicious actor can target the application over the internet without requiring local privileges. The impact is that the confidentiality, integrity, and availability of the application’s data may be compromised, leading to data leakage, unauthorized access, or disruptions.

Affected Systems

The affected product is code-projects Real State Services version 1.0. No other versions or vendor products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 categorizes this flaw as medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that it has not yet been widely abused. However, the description indicates that the exploit has been publicly disclosed and may be used by attackers. The likely attack vector is remote over the web interface, specifically targeting the login page that accepts user credentials.

Generated by OpenCVE AI on June 1, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a version of code-projects Real State Services where input validation or parameterized queries protect the Username field in /loginuser.php.
  • Replace any inline SQL statements that incorporate the Username value with prepared statements and bind parameters to eliminate direct SQL injection possibilities.
  • Restrict exposure of the /loginuser.php endpoint by configuring access controls, IP whitelisting, or web application firewall rules to block suspicious injection attempts.

Generated by OpenCVE AI on June 1, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Real State Services 1.0. This impacts an unknown function of the file /loginuser.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Real State Services Login loginuser.php sql injection
First Time appeared Code-projects
Code-projects real State Services
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:real_state_services:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects real State Services
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Real State Services
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T13:45:08.184Z

Reserved: 2026-05-31T12:48:14.352Z

Link: CVE-2026-10262

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:32.510

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-10262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T17:30:16Z

Weaknesses