CVE-2026-14649
code-projects · Online Voting System
A SQL injection vulnerability exists in the test_input function of /saveVote.php in code-projects Online Voting System 1.0, allowing unauthenticated remote attackers to execute malicious SQL commands.
Executive summary
An unauthenticated SQL injection vulnerability in code-projects Online Voting System 1.0 allows attackers to remotely manipulate input parameters, risking the integrity of the voting data.
Vulnerability
The vulnerability is located in the test_input function within the /saveVote.php file. The system fails to properly secure the voterName, voterEmail, voterID, and selectedCandidate parameters, allowing an attacker to inject arbitrary SQL commands without any authentication or user interaction.
Business impact
The CVSS score of 7.3 highlights a high-severity threat to the system's data integrity. Exploitation could allow an attacker to manipulate voting results, exfiltrate voter PII (Personally Identifiable Information), or compromise the underlying database, which undermines the entire purpose of an online voting platform.
Remediation
Immediate Action: In the absence of an official patch, administrators should take the system offline if possible or restrict access to the voting portal until the code can be manually hardened.
Proactive Monitoring: Review application logs for suspicious entries in the parameters passed to /saveVote.php and monitor database performance for signs of unauthorized query execution.
Compensating Controls: Deploy WAF rules designed to block SQL injection patterns specifically targeting the /saveVote.php endpoint to mitigate the risk of automated exploitation.
Exploitation status
Public Exploit Available: true
Analyst recommendation
This vulnerability is critical due to the potential for data tampering in a system designed for sensitive information collection. Administrators must implement immediate defensive measures and monitor for any signs of unauthorized access, as the lack of authentication requirements makes this an attractive target for attackers.