CVE-2026-14768
code-projects · Real State Services
A critical SQL injection vulnerability in code-projects Real State Services 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'loc' parameter in /builderHome.php.
Executive summary
An unauthenticated SQL injection vulnerability in code-projects Real State Services 1.0 allows attackers to execute arbitrary SQL commands, risking total database compromise.
Vulnerability
The application contains a flaw in /builderHome.php where the 'loc' parameter is not properly sanitized, facilitating SQL injection. This allows an unauthenticated attacker to inject and execute arbitrary SQL commands, compromising the database layer.
Business impact
With a CVSS score of 7.3, this vulnerability represents a significant risk to the integrity and confidentiality of the organization's data. Successful exploitation could allow attackers to bypass security controls, extract sensitive information, or disrupt service availability, potentially leading to severe business consequences.
Remediation
Immediate Action: Restrict access to the /builderHome.php script immediately and seek guidance from the vendor regarding a security patch.
Proactive Monitoring: Review web server traffic and database logs for unusual query patterns or attempts to manipulate the 'loc' parameter in web requests.
Compensating Controls: Implement WAF rules specifically designed to detect and block SQL injection strings targeting the 'loc' parameter within the /builderHome.php file.
Exploitation status
Public Exploit Available: True
Analyst recommendation
The presence of a public exploit for this unauthenticated SQL injection vulnerability requires urgent attention. Organizations should implement defensive measures, such as WAF filtering, and restrict access to the affected script until the vendor releases a permanent fix.