CVE-2026-14700

code-projects · Internship Management System

A critical SQL injection vulnerability in the employer/login.php file of code-projects Internship Management System 1.0 allows for unauthenticated remote command injection.

Executive summary

An unauthenticated SQL injection vulnerability in code-projects Internship Management System 1.0 poses a severe risk of unauthorized data access and potential system compromise.

Vulnerability

This is a SQL injection vulnerability located in the employer/login.php component. The application fails to properly sanitize the email and password parameters, allowing an unauthenticated attacker to inject malicious SQL commands directly into the backend database.

Business impact

The vulnerability carries a CVSS score of 7.3, indicating a high level of technical risk. Successful exploitation could lead to unauthorized access to sensitive internship and employer records, potentially resulting in full database compromise, data exfiltration, or modification of administrative credentials. Such a breach could cause significant reputational damage and legal liability regarding the protection of user data.

Remediation

Immediate Action: Since no official patch is currently available, administrators should immediately restrict network access to the affected system and implement strict input validation on the login interface.

Proactive Monitoring: Review web server access logs for anomalous characters or SQL keywords in login attempts, and monitor database audit logs for unauthorized queries or unexpected modifications.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns targeting the login.php endpoint.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Given the availability of public exploits and the unauthenticated nature of the attack vector, this vulnerability should be treated with high priority. Organizations using this software must implement compensating controls immediately to mitigate the risk of exploitation while waiting for official vendor guidance or security updates.