CVE-2026-14648

code-projects · Online Voting System

A SQL injection vulnerability in the login component of code-projects Online Voting System allows unauthenticated attackers to compromise the system via the `test_input` function.

Executive summary

An unauthenticated SQL injection vulnerability in the code-projects Online Voting System poses a critical risk of administrative account compromise.

Vulnerability

This is a SQL injection vulnerability located in the test_input function within /authentication.php. An unauthenticated remote attacker can exploit this by manipulating the adminUserName or adminPassword parameters to bypass authentication or gain unauthorized administrative access.

Business impact

The vulnerability carries a CVSS score of 7.3, indicating a high risk of unauthorized access to sensitive application data. Successful exploitation could allow an attacker to gain full administrative control over the voting system, potentially leading to the manipulation of voting results, data exfiltration, or complete system compromise, causing significant reputational and operational damage.

Remediation

Immediate Action: Since no official patch is available, restrict access to the login interface via IP allowlisting or VPN requirements until a secure version is released.

Proactive Monitoring: Monitor application logs for abnormal patterns in the adminUserName or adminPassword fields, specifically looking for SQL syntax characters such as single quotes, semicolons, or comment indicators.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection payloads targeting authentication endpoints.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Given the ease of exploitation and the critical nature of the compromised component, organizations currently running the Online Voting System should treat this as a high-priority risk. If the software cannot be updated or patched, it should be taken offline or placed behind robust network-level access controls to prevent unauthorized remote exploitation.