Skip to content
Threat Feed
high threat exploited

CVE-2026-14735: SQL Injection Vulnerability in code-projects Smart Parking System

A high-severity SQL injection vulnerability, CVE-2026-14735, exists in code-projects Smart Parking System 1.0, allowing remote attackers to manipulate the `street`, `city`, or `status` arguments in `/parkings/parkings.php` to execute arbitrary SQL queries, potentially leading to arbitrary file read and data exfiltration, with public exploit details available.

A significant SQL injection vulnerability, tracked as CVE-2026-14735, has been discovered in version 1.0 of the code-projects Smart Parking System. The flaw resides within an unspecified function of the /parkings/parkings.php file, where improper handling of user-supplied input to the street, city, or status parameters allows for remote SQL injection. This vulnerability enables unauthenticated attackers to execute arbitrary SQL commands against the backend database. Public disclosure of exploit details indicates the potential for active exploitation, with one reported consequence being the ability to perform arbitrary file reads on the underlying system, exposing sensitive data to attackers. Organizations using this system are at high risk of data breaches and unauthorized access.

Attack Chain

  1. An unauthenticated attacker identifies a vulnerable instance of code-projects Smart Parking System 1.0 accessible via the internet.
  2. The attacker crafts a malicious HTTP GET request targeting the /parkings/parkings.php endpoint.
  3. The crafted request includes SQL injection payloads within the street, city, or status URL parameters, designed to bypass input validation.
  4. The vulnerable application processes the unsanitized input, causing the backend database to execute the attacker's injected SQL commands.
  5. The injected SQL commands leverage database capabilities (e.g., LOAD_FILE() or UNION SELECT statements) to read arbitrary files from the server's file system (e.g., /etc/passwd, application configuration files).
  6. The database query results, containing the contents of the requested files, are returned within the HTTP response to the attacker.
  7. The attacker parses the HTTP response to extract the sensitive file contents, achieving data exfiltration.

Impact

Successful exploitation of CVE-2026-14735 could lead to significant data breaches, potentially exposing sensitive information from configuration files, system credentials, or other critical files on the server. The ability to perform arbitrary file reads allows attackers to gain reconnaissance about the system, retrieve database credentials, or even steal application source code. While the NVD does not specify victim counts or targeted sectors, any organization using the code-projects Smart Parking System 1.0 is susceptible. The public disclosure of exploit details increases the likelihood of widespread exploitation.

Recommendation

  • Immediately patch or update code-projects Smart Parking System to a non-vulnerable version if available. If no patch is available, remove the application from public access until a fix is released.
  • Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-14735 via suspicious parameters in web requests.
  • Review web server access logs for HTTP GET requests to /parkings/parkings.php containing SQL injection patterns in the street, city, or status parameters.
  • Implement a Web Application Firewall (WAF) in front of affected systems and ensure it is configured to detect and block SQL injection attempts.

Detection coverage 1

Detects CVE-2026-14735 Exploitation — Smart Parking System SQL Injection

high

Detects CVE-2026-14735 exploitation attempts targeting the code-projects Smart Parking System via SQL injection in the 'street', 'city', or 'status' parameters of /parkings/parkings.php.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

6

url

TypeValue
urlhttps://code-projects.org/
urlhttps://medium.com/@avdzav10/sql-injection-leading-to-arbitrary-file-read-in-smart-parking-system-php-2cd5b084f9e1
urlhttps://vuldb.com/cve/CVE-2026-14735
urlhttps://vuldb.com/submit/848002
urlhttps://vuldb.com/vuln/376317
urlhttps://vuldb.com/vuln/376317/cti