Skip to content
Threat Feed
high advisory

CVE-2026-14700: Code-Projects Internship Management System SQL Injection Vulnerability

A critical unauthenticated SQL injection vulnerability (CVE-2026-14700) in the 'employer/login.php' endpoint of code-projects Internship Management System 1.0 allows remote attackers to manipulate 'email' or 'password' arguments, potentially leading to unauthorized access and data compromise, with public exploit disclosure increasing risk.

CVE-2026-14700 details an unauthenticated SQL injection vulnerability affecting code-projects Internship Management System version 1.0. The flaw resides within an unknown function of the employer/login.php file, specifically impacting the Employer Login Endpoint. Attackers can remotely exploit this by manipulating the email or password arguments passed to this endpoint, allowing them to inject malicious SQL queries. The vulnerability has been publicly disclosed and is reported to be exploitable, enabling adversaries to bypass authentication, gain unauthorized access, and potentially extract sensitive data from the underlying database. This presents a significant risk to organizations using the affected system, as it can lead to data breaches, system compromise, and further attacks within the network.

Attack Chain

  1. Initial Access / Reconnaissance: An unauthenticated attacker identifies a vulnerable instance of code-projects Internship Management System 1.0 exposed to the internet.
  2. Vulnerability Exploitation: The attacker crafts a malicious HTTP POST request targeting the employer/login.php endpoint.
  3. SQL Injection Payload Delivery: The crafted request includes SQL injection payloads within the email or password parameters (e.g., ' OR 1=1--).
  4. Database Interaction: The vulnerable application processes the malicious input, causing the embedded SQL query to be executed by the backend database.
  5. Authentication Bypass / Information Disclosure: Successful injection allows the attacker to bypass authentication, potentially gain access to employer accounts, or extract sensitive information directly from the database.
  6. Data Exfiltration / Further Access: Obtained credentials or data could then be used for further unauthorized access, data exfiltration, or to pivot to other systems.

Impact

Successful exploitation of CVE-2026-14700 can lead to severe consequences for organizations utilizing the Internship Management System. Attackers can bypass authentication, gaining unauthorized access to the employer portal and potentially other system functionalities. This access enables the compromise of sensitive data stored in the database, including personal identifiable information (PII) of interns, employers, and potentially financial data. Such a breach can result in significant financial losses, reputational damage, regulatory penalties, and a complete loss of trust. The public disclosure of the exploit increases the likelihood of widespread opportunistic attacks against unpatched systems.

Recommendation

  • Patch CVE-2026-14700: Immediately apply any available patches or updates from code-projects to address CVE-2026-14700.
  • Implement Input Validation: Ensure robust input validation and parameterized queries are used in web applications, especially for user input like email and password on the employer/login.php endpoint.
  • Deploy Sigma Rule: Deploy the 'CVE-2026-14700: Internship Management System SQLi Attempt' rule to your SIEM to detect exploitation attempts.
  • Monitor Web Server Logs: Configure comprehensive logging for webserver events, specifically HTTP requests to employer/login.1php, to facilitate detection of malicious queries.

Detection coverage 1

CVE-2026-14700: Internship Management System SQLi Attempt

high

Detects CVE-2026-14700 exploitation — SQL injection attempts against the employer login endpoint of code-projects Internship Management System 1.0 by manipulating email/password arguments.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →