SQL Injection Vulnerability in projectworlds Car Rental System 1.0

A SQL injection vulnerability has been identified in projectworlds Car Rental System version 1.0. This flaw is located within the /message_admin.php file, specifically affecting the Parameter Handler component. By manipulating the Message argument, a remote attacker can inject malicious SQL code, potentially leading to unauthorized data access or modification. The vulnerability, assigned CVE-2026-5637, has a CVSS v3.1 score of 7.3, indicating a high severity. Public exploit code is available, increasing the risk of exploitation. This vulnerability poses a significant threat to systems running the affected Car Rental System version, as it can be exploited without authentication. Defenders should prioritize patching or mitigating this vulnerability to prevent potential data breaches or system compromise.

Attack Chain

1. Attacker identifies a vulnerable instance of projectworlds Car Rental System 1.0 exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the /message_admin.php file.
3. Within the HTTP request, the attacker manipulates the Message parameter with a SQL injection payload. This payload could be designed to extract data or modify database entries.
4. The vulnerable /message_admin.php script processes the attacker-supplied input without proper sanitization or validation.
5. The injected SQL payload is executed against the underlying database server.
6. The database server processes the malicious SQL query, potentially returning sensitive data to the attacker or modifying data within the database.
7. The attacker receives the results of the injected SQL query, which may include sensitive data such as user credentials, financial information, or other confidential data.
8. The attacker can then use the compromised data to further their attack, potentially gaining complete control over the vulnerable system or pivoting to other systems within the network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-5637) in projectworlds Car Rental System 1.0 could lead to significant data breaches, unauthorized access to sensitive information, and potential system compromise. Attackers could gain access to customer data, financial records, and other confidential information stored within the system’s database. The number of potential victims is dependent on the number of installations running the vulnerable version. Affected sectors include transportation, tourism, and any business using projectworlds Car Rental System 1.0 for managing their car rental operations. If exploited, the vulnerability may result in financial losses, reputational damage, and legal liabilities for the affected organizations.

Recommendation

• Apply any available patches or updates for projectworlds Car Rental System 1.0 to address the SQL injection vulnerability (CVE-2026-5637).
• Implement input validation and sanitization measures on the /message_admin.php file to prevent SQL injection attacks.
• Deploy a web application firewall (WAF) with rules to detect and block SQL injection attempts targeting the Message parameter in the /message_admin.php file.
• Monitor web server logs for suspicious activity, such as requests with unusual characters or SQL syntax in the Message parameter, to detect potential exploitation attempts. Use the provided Sigma rule “Detect SQL Injection Attempt in Car Rental System” for this purpose.
• Regularly audit and review the codebase of projectworlds Car Rental System 1.0 for other potential vulnerabilities.