Skip to content
Threat Feed
high advisory

CVE-2026-14743: Remote SQL Injection in code-projects Real State Services 1.0

A high-severity remote SQL injection vulnerability (CVE-2026-14743) in code-projects Real State Services 1.0 allows an unauthenticated attacker to manipulate the 'loc' argument in the `/normalHomeSale.php` file, leading to arbitrary SQL command execution and potential compromise of confidentiality, integrity, and availability of data, with an exploit publicly available.

A high-severity SQL injection vulnerability, tracked as CVE-2026-14743, has been identified in code-projects Real State Services version 1.0. The flaw specifically resides in an unknown function within the /normalHomeSale.php file. Attackers can exploit this vulnerability remotely and without authentication by manipulating the 'loc' argument, embedding malicious SQL queries directly into database commands. This can lead to unauthorized access, modification, or deletion of sensitive database information. The existence of a publicly available exploit significantly increases the risk of this vulnerability being actively abused by malicious actors, making immediate patching or mitigation crucial for any organization using the affected software.

Attack Chain

  1. Reconnaissance: An attacker identifies an internet-facing instance of code-projects Real State Services 1.0.
  2. Initial Access: The attacker sends a crafted HTTP GET or POST request to the vulnerable /normalHomeSale.php endpoint.
  3. Vulnerability Exploitation: The attacker includes a specially malformed SQL injection payload within the loc parameter of the HTTP request.
  4. Server-Side Processing: The vulnerable application processes the request, embedding the attacker-controlled loc parameter directly into an SQL query without proper sanitization.
  5. SQL Injection: The database server executes the manipulated SQL query, granting the attacker unauthorized database access.
  6. Data Compromise: The attacker can then exfiltrate sensitive data (e.g., user credentials, financial information), modify existing records, or inject new data into the database.
  7. Impact: This leads to a compromise of data confidentiality, integrity, and potentially availability, depending on the attacker's objective.

Impact

Successful exploitation of CVE-2026-14743 could lead to severe consequences for organizations running code-projects Real State Services 1.0. Attackers can gain complete control over the application's database, allowing for the exfiltration of sensitive user data, modification of application content, or even complete data destruction. The impact extends to potential financial losses due to data breaches, reputational damage, and service disruption. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk.

Recommendation

  • Patch CVE-2026-14743: Immediately apply any available patches or updates for code-projects Real State Services 1.0 as advised by the vendor. If no patch is available, remove or decommission the affected service.
  • Web Application Firewall (WAF): Implement or update WAF rules to detect and block common SQL injection patterns, especially targeting the /normalHomeSale.php endpoint and loc parameter, which can help prevent exploitation of CVE-2026-14743.
  • Deploy Detection Rule: Deploy the provided Sigma rule "Detect CVE-2026-14743 Exploitation - SQL Injection in Real State Services" to your SIEM/detection platform.
  • Enable Webserver Logging: Ensure comprehensive web server logging for HTTP requests, including cs-uri-stem and cs-uri-query parameters, to enable detection of exploitation attempts.

Detection coverage 1

Detect CVE-2026-14743 Exploitation - SQL Injection in Real State Services

high

Detects exploitation attempts of CVE-2026-14743, an SQL injection vulnerability in code-projects Real State Services 1.0, specifically targeting the '/normalHomeSale.php' file via the 'loc' argument with common SQLi patterns.

sigma tactics: impact, initial_access techniques: T1190, T1561 sources: webserver

Detection queries are available on the platform. Get full rules →