Login Sign Up

CVE-2026-0584

6.3 MEDIUM
SQL Injection

📋 TL;DR

CVE-2026-0584 is a SQL injection vulnerability in code-projects Online Product Reservation System 1.0 that allows attackers to execute arbitrary SQL commands via the ID parameter in app/products/left_cart.php. This affects all users running this specific software version, potentially enabling unauthorized database access, data theft, or system compromise.

💻 Affected Systems

Products:
  • code-projects Online Product Reservation System
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation; requires PHP environment with database connectivity.

📦 What is this software?

Online Product Reservation System by Fabian

View all CVEs affecting Online Product Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized access to sensitive reservation data, customer information, or administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exploit available; remote exploitation possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for security updates 2. Apply any available patches 3. Verify fix by testing the vulnerable endpoint

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the ID parameter in left_cart.php

Modify app/products/left_cart.php to use prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Configure WAF to block suspicious SQL patterns in requests to */app/products/left_cart.php*

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement network segmentation and strict access controls to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Test the left_cart.php endpoint with SQL injection payloads in the ID parameter

Check Version:

Check software version in configuration files or admin panel

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or properly handled

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or parameter manipulation in web logs

Network Indicators:

  • Suspicious HTTP requests to left_cart.php with SQL payloads

SIEM Query:

source="web_logs" AND uri="*left_cart.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2026-0584
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (13.2th percentile)
Published: January 5, 2026
Last Updated: January 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0584, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)