Description
A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-27
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: SQL Injection allowing unauthorized data disclosure
Action: Assess Impact
AI Analysis

Impact

The loginuser.php script accepts email and password parameters without proper filtering, enabling an attacker to inject arbitrary SQL statements. This injection can expose sensitive user information, modify account details, or potentially gain unauthorized database access. The flaw falls under CWE-74 and CWE-89, representing inadequate handling of query parameters and SQL injection.

Affected Systems

code-projects Online Lot Reservation System version 1.0 and earlier are affected. The vulnerability resides in the loginuser.php file and can be triggered by passing crafted email/password values over the network.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity with a remote attack vector. The EPSS score is not available and the issue is not listed in CISA KEV, but the publicly disclosed exploit demonstrates feasibility. An attacker can remotely send a malicious request to /loginuser.php, inject SQL, and retrieve or alter data. Due to the lack of a published fix, the risk remains ongoing until a vendor update or a mitigated configuration is applied.

Generated by OpenCVE AI on April 28, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade to a fixed version of the Online Lot Reservation System if available
  • Refactor the loginuser.php code to use parameterized queries or stored procedures and validate input against a whitelist
  • Restrict the database user privileges used by the application to the minimum necessary rights
  • Monitor authentication attempts and database logs for abnormal activity patterns

Generated by OpenCVE AI on April 28, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Lot Reservation System
Vendors & Products Code-projects
Code-projects online Lot Reservation System

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Online Lot Reservation System loginuser.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Lot Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T17:54:52.563Z

Reserved: 2026-04-26T19:18:41.147Z

Link: CVE-2026-7131

cve-icon Vulnrichment

Updated: 2026-04-27T17:54:49.395Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T15:16:21.433

Modified: 2026-04-27T18:36:19.637

Link: CVE-2026-7131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:06Z

Weaknesses