code-projects Vehicle Showroom Management System 1.0 SQL Injection Vulnerability
A remote SQL injection vulnerability exists in code-projects Vehicle Showroom Management System 1.0 via manipulation of the BRANCH_ID argument in the /util/BookVehicleFunction.php file, potentially allowing unauthorized database access.
A SQL injection vulnerability has been identified in code-projects Vehicle Showroom Management System version 1.0. This vulnerability, tracked as CVE-2026-6149, resides within the /util/BookVehicleFunction.php file. Successful exploitation allows remote attackers to inject malicious SQL code by manipulating the BRANCH_ID argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected software, potentially leading to data breaches, unauthorized access, and complete system compromise.
Attack Chain
- The attacker identifies an instance of code-projects Vehicle Showroom Management System 1.0.
- The attacker crafts a malicious HTTP request targeting
/util/BookVehicleFunction.php. - The attacker injects SQL code into the
BRANCH_IDparameter within the HTTP request. - The web server passes the crafted SQL query to the underlying database without proper sanitization.
- The database executes the malicious SQL query.
- The attacker extracts sensitive information from the database.
- The attacker may use the extracted credentials to gain further access to the system.
- The attacker can modify, delete, or exfiltrate data from the database, leading to complete system compromise.
Impact
Successful exploitation of this SQL injection vulnerability (CVE-2026-6149) can have severe consequences. An attacker can gain unauthorized access to the Vehicle Showroom Management System's database, potentially exposing sensitive customer data, vehicle inventory information, and financial records. The vulnerability could lead to data breaches, financial losses, and reputational damage. Given the nature of the application, dealerships and other businesses managing vehicle inventories are the most likely targets.
Recommendation
- Apply the Sigma rule
Detect Suspicious BookVehicleFunction.php Accessto identify potential exploitation attempts targeting the vulnerable endpoint. - Inspect web server logs for unusual requests to
/util/BookVehicleFunction.phpwith suspicious characters or SQL keywords in theBRANCH_IDparameter. - Patch CVE-2026-6149 immediately upon patch availability to mitigate the SQL injection vulnerability.
- Implement proper input validation and sanitization on the
BRANCH_IDparameter in/util/BookVehicleFunction.phpto prevent future SQL injection attacks.
Detection coverage 2
Detect Suspicious BookVehicleFunction.php Access
highDetects suspicious access to the BookVehicleFunction.php file, potentially indicating SQL injection attempts.
Detect SQL Injection Characters in URI Query
mediumDetects common SQL injection characters in the URI query string, potentially indicating an attack.
Detection queries are available on the platform. Get full rules →