Skip to content
Threat Feed
high advisory

CVE-2026-14649: Remote SQL Injection in code-projects Online Voting System

A remote SQL injection vulnerability (CVE-2026-14649) exists in code-projects Online Voting System version 1.0, located in the 'test_input' function within the '/saveVote.php' file, allowing an unauthenticated attacker to execute arbitrary SQL queries by manipulating 'voterName', 'voterEmail', 'voterID', or 'selectedCandidate' arguments.

A critical SQL injection vulnerability (CVE-2026-14649) has been identified in version 1.0 of the code-projects Online Voting System. This flaw, residing in the test_input function within the /saveVote.php file, allows an unauthenticated, remote attacker to execute arbitrary SQL commands on the backend database. Attackers can exploit this by manipulating specific parameters such as voterName, voterEmail, voterID, or selectedCandidate in HTTP POST requests. The vulnerability poses a significant risk as it can lead to unauthorized data access, modification, or potential full compromise of the voting system's integrity, impacting election results and voter privacy. Defenders need to prioritize patching and monitoring for malicious web requests targeting this endpoint.

Attack Chain

  1. Attacker scans for internet-facing instances of code-projects Online Voting System 1.0.
  2. Attacker identifies the /saveVote.php endpoint as a potential target for user input manipulation.
  3. Attacker crafts an HTTP POST request containing malicious SQL characters (e.g., ' OR 1=1 -- -) within the voterName, voterEmail, voterID, or selectedCandidate parameters.
  4. The vulnerable test_input function in /saveVote.php processes the unsanitized input received from the HTTP request.
  5. The malicious input is concatenated directly into a database query, leading to arbitrary SQL command execution on the backend.
  6. The database executes the attacker's embedded SQL, which could be designed for data exfiltration (e.g., UNION SELECT password_hash FROM users), data modification, or privilege escalation.
  7. The application returns an HTTP response containing results of the executed SQL query or an altered application state, confirming successful exploitation.
  8. Attacker analyzes the response to extract sensitive data or confirm unauthorized changes to the voting system's records.

Impact

Successful exploitation of CVE-2026-14649 allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database. This can lead to severe consequences including unauthorized access to sensitive voter data, manipulation of voting records, or even complete compromise of the database. Such a breach could undermine the integrity of election results, expose personally identifiable information of voters, and cause significant reputational damage to the organization. While no specific victim count or sectors are mentioned, any organization using the affected Online Voting System 1.0 is at risk.

Recommendation

  • Immediately patch code-projects Online Voting System 1.0 to a version that addresses CVE-2026-14649. If no patch is available, consider implementing a web application firewall (WAF) with SQL injection detection rules.
  • Deploy the Sigma rule "Detects CVE-2026-14649 Exploitation — SQL Injection in Online Voting System" to your SIEM for real-time detection of exploitation attempts.
  • Enable comprehensive web server logging and review logs for suspicious HTTP POST requests to /saveVote.php containing SQL injection payloads.

Detection coverage 1

Detects CVE-2026-14649 Exploitation — SQL Injection in Online Voting System

high

Detects CVE-2026-14649 exploitation targeting the /saveVote.php endpoint with SQL injection payloads in voterName, voterEmail, voterID, or selectedCandidate parameters.

sigma tactics: impact, initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →