CVE-2026-0583 – This SQL injection vulnerability in code-projec... (How to Fix)

Q: What is the severity of CVE-2026-0583?

CVE-2026-0583 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in code-projects Online Product Reservation System 1.0 allows attackers to manipulate database queries through the email address parameter during user login. Remote attackers can potentially access, modify, or delete database contents. All installations of version 1.0 with the vulnerable component are affected.

📋 TL;DR

This SQL injection vulnerability in code-projects Online Product Reservation System 1.0 allows attackers to manipulate database queries through the email address parameter during user login. Remote attackers can potentially access, modify, or delete database contents. All installations of version 1.0 with the vulnerable component are affected.

💻 Affected Systems

Products:

code-projects Online Product Reservation System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the User Login component specifically in app/user/login.php file. Any installation with this component is vulnerable.

📦 What is this software?

Online Product Reservation System by Fabian

View all CVEs affecting Online Product Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, credential theft, and potential privilege escalation leading to system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires no authentication and uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement proper input validation and parameterized queries for the emailadd parameter in login.php

Modify app/user/login.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on login endpoints

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the login endpoint with SQL injection payloads in the emailadd parameter and observe database errors or unexpected behavior

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes - should return proper error messages without database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in login attempts
Multiple failed login attempts with SQL characters
Database error messages in application logs

Network Indicators:

SQL keywords in HTTP POST parameters to login endpoint
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="/app/user/login.php" OR uri="/login") AND (param="emailadd" AND value CONTAINS "' OR " OR "--" OR ";")

📊 Metadata

CVE ID: CVE-2026-0583

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.1th percentile)

Published: January 5, 2026

Last Updated: January 9, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md Exploit,Third Party Advisory
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.339475 Permissions Required,VDB Entry
https://vuldb.com/?id.339475 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731093 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0583, you might also want to check these: