CVE-2026-14769
code-projects · Real State Services
A SQL injection vulnerability in code-projects Real State Services 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via the Bankname argument in /pay.php.
Executive summary
An unauthenticated SQL injection vulnerability in code-projects Real State Services 1.0 permits remote attackers to manipulate database queries and potentially access sensitive data.
Vulnerability
The /pay.php file fails to properly sanitize the Bankname parameter, allowing an unauthenticated attacker to inject malicious SQL commands. This provides a direct vector for unauthorized database interaction without requiring user authentication.
Business impact
This vulnerability carries a CVSS score of 7.3, indicating a high risk of unauthorized data access and potential database manipulation. Exploitation could lead to the exposure of customer or financial information, resulting in significant reputational damage and potential regulatory non-compliance for the organization managing the service.
Remediation
Immediate Action: Identify and restrict access to the vulnerable /pay.php file until the vendor provides a security update.
Proactive Monitoring: Monitor application logs for anomalous database activity or attempts to submit malformed input via the Bankname field.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block input containing SQL injection patterns directed at the /pay.php file.
Exploitation status
Public Exploit Available: True
Analyst recommendation
The combination of unauthenticated access and public exploit availability necessitates immediate action. Organizations must apply compensating controls such as WAF filtering or access restrictions to mitigate this high-risk vulnerability until a vendor patch is issued.