Description
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-list_sale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unsanitized ID parameter in the /single-list_sale.php?action=add endpoint that allows attackers to inject arbitrary SQL commands. This flaw permits a remote attacker to read, modify, or delete records in the database depending on the privileges of the injected query. The vulnerability is classified as a typical SQL injection (CWE‑89) caused by improper input handling (CWE‑74).

Affected Systems

The flaw exists in code‑projects Real State Services version 1.0. No other versions were listed, so any deployment of the 1.0 release is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity for a remote exploit. Because no EPSS data is not listed in CISA's KEV catalog, the likelihood of widespread deployment remains uncertain; however, public exploits are already available, so the attack window is open. The attacker needs only network access to the vulnerable endpoint and can manipulate the ID parameter without authentication, which increases exploitability.

Generated by OpenCVE AI on June 29, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to a version that resolves the SQL injection in /single-list_sale.php
  • Limit remote access to the add action by requiring authentication or enforcing firewall rules
  • Validate and sanitize the ID parameter so that only numeric values are accepted and use prepared statements to build queries

Generated by OpenCVE AI on June 29, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-list_sale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Real State Services single-list_sale.php add sql injection
First Time appeared Code-projects
Code-projects real State Services
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:real_state_services:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects real State Services
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Code-projects Real State Services
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:48:57.549Z

Reserved: 2026-06-28T16:06:04.907Z

Link: CVE-2026-13559

cve-icon Vulnrichment

Updated: 2026-06-29T12:48:54.222Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')