{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0576", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-03T16:01:43.656Z", "datePublished": "2026-01-04T09:02:06.125Z", "dateUpdated": "2026-02-23T08:11:56.706Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:11:56.706Z"}, "title": "code-projects Online Product Reservation System Parameter prod.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Online Product Reservation System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-03T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-09T16:17:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ho Cherry (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.339460", "name": "VDB-339460 | code-projects Online Product Reservation System Parameter prod.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.339460", "name": "VDB-339460 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731012", "name": "Submit #731012 | code-projects Online Product Reservation system V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md", "tags": ["related"]}, {"url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T19:47:21.091650Z", "id": "CVE-2026-0576", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:47:31.638Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0576", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T19:47:21.091650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:47:26.692Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Online Product Reservation System Parameter prod.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "Ho Cherry (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "code-projects", "modules": ["Parameter Handler"], "product": "Online Product Reservation System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-03T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-09T16:17:49.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.339460", "name": "VDB-339460 | code-projects Online Product Reservation System Parameter prod.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.339460", "name": "VDB-339460 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731012", "name": "Submit #731012 | code-projects Online Product Reservation system V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md", "tags": ["related"]}, {"url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:11:56.706Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0576", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:11:56.706Z", "dateReserved": "2026-01-03T16:01:43.656Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-04T09:02:06.125Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "20DD85F8-8BAC-44C5-99EC-F57924CE08AE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing a manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en code-projects Online Product Reservation System 1.0. Afecta a una funci\u00f3n desconocida del archivo /handgunner-administrator/prod.php del componente Parameter Handler. La manipulaci\u00f3n del argumento cat/price/name/model/serial resulta en inyecci\u00f3n SQL. Es posible iniciar el ataque de forma remota. El exploit es ahora p\u00fablico y puede ser utilizado."}], "id": "CVE-2026-0576", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-04T09:15:40.473", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.339460"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.339460"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.731012"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:21:24.002235+00:00", "value": {"mitigation_remediation": ["Verify and apply any vendor-supplied patch or update for Online Product Reservation System 1.0 that addresses the prod.php SQL injection.", "If no patch is available, restrict network access to the admin interface containing prod.php to trusted IP ranges or VPN, effectively limiting the attack surface.", "Implement input validation or parameterized queries for the cat, price, name, model, and serial parameters to prevent future injection attempts.", "Conduct a code audit of the Parameter Handler component to identify any other potential injection or related weaknesses."], "summary": {"action": "Patch", "impact": "Remote SQL Injection impacting confidentiality and integrity"}, "threat_synthesis": {"affected_systems": "The affected system is the code-projects Online Product Reservation System version 1.0. No other software versions or product lines were listed in the CNA data.", "description_and_impact": "This vulnerability arises from unsanitized input handling in the prod.php component of the Online Product Reservation System. By manipulating the cat, price, name, model, or serial arguments, an attacker can inject arbitrary SQL statements. The flaw can lead to unauthorized data extraction, modification, or deletion, thereby compromising the confidentiality, integrity, and availability of the underlying database.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests a low exploit probability at the time of publication. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Remote exploitation is possible, as indicated by the CNA description, meaning that an attacker could reach the vulnerable endpoint over the network. The likelihood of attack remains modest, but the impact is substantial if the flaw is leveraged."}}}}, "created": "2026-01-05T10:13:28.310108+00:00", "updated": "2026-04-18T19:30:08.960471+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$online_product_reservation_system"]}