CVE-2026-0579 – This SQL injection vulnerability in code-projec... (How to Fix)

Q: What is the severity of CVE-2026-0579?

CVE-2026-0579 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in code-projects Online Product Reservation System 1.0 allows attackers to manipulate database queries through the admin edit.php endpoint. Remote attackers can potentially read, modify, or delete database contents. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in code-projects Online Product Reservation System 1.0 allows attackers to manipulate database queries through the admin edit.php endpoint. Remote attackers can potentially read, modify, or delete database contents. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

code-projects Online Product Reservation System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the administrative interface at /handgunner-administrator/edit.php

📦 What is this software?

Online Product Reservation System by Fabian

View all CVEs affecting Online Product Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, modification of product information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages exposed.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects an internet-facing administrative interface.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to gain unauthorized database access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin interface but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use prepared statements for all database queries in edit.php

Modify /handgunner-administrator/edit.php to use PDO or mysqli prepared statements

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the edit.php endpoint

Add WAF rule: Block requests to /handgunner-administrator/edit.php containing SQL keywords in POST parameters

🧯 If You Can't Patch

Restrict access to /handgunner-administrator/ directory to trusted IP addresses only
Implement database user with minimal permissions (read-only for non-admin functions)

🔍 How to Verify

Check if Vulnerable:

Test the edit.php endpoint with SQL injection payloads in prod_id, name, price, model, or serial parameters

Check Version:

Check system documentation or source code for version information

Verify Fix Applied:

Verify that SQL injection attempts return error messages or are properly sanitized without database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web server
SQL syntax errors in application logs
Multiple failed login attempts to admin interface

Network Indicators:

POST requests to /handgunner-administrator/edit.php containing SQL keywords
Unusual database response times

SIEM Query:

source="web_logs" AND uri="/handgunner-administrator/edit.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2026-0579

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.1th percentile)

Published: January 4, 2026

Last Updated: January 9, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md Exploit,Third Party Advisory
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.339463 Permissions Required,VDB Entry
https://vuldb.com/?id.339463 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731091 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0579, you might also want to check these: