Skip to content
Threat Feed
high advisory

CVE-2026-14744: Remote SQL Injection in code-projects Real State Services 1.0

A critical SQL injection vulnerability (CVE-2026-14744) has been found in code-projects Real State Services version 1.0. The flaw resides in an unknown function within the /normalHomeRent.php file, where manipulating the 'loc' argument allows for remote SQL injection, and a public exploit has been released, posing an immediate threat to affected systems.

A critical SQL injection vulnerability, identified as CVE-2026-14744, has been discovered in code-projects Real State Services version 1.0. This flaw, published on July 5, 2026, resides within an unspecified function of the /normalHomeRent.php file. An unauthenticated, remote attacker can exploit this vulnerability by manipulating the loc argument in an HTTP GET request, bypassing security controls and enabling direct interaction with the backend database. The public release of an exploit significantly escalates the risk, making this an immediate and high-priority concern for organizations utilizing this software. Successful exploitation can lead to unauthorized access to sensitive data, data manipulation, or, in severe cases, remote code execution on the underlying server, severely impacting data confidentiality, integrity, and system availability.

Attack Chain

  1. An unauthenticated attacker identifies an internet-facing instance of code-projects Real State Services 1.0.
  2. The attacker crafts a malicious HTTP GET request targeting the vulnerable /normalHomeRent.php endpoint.
  3. The request includes a specifically engineered SQL injection payload embedded within the loc URL parameter (e.g., loc=' UNION SELECT NULL,version(),NULL,NULL-- -).
  4. The vulnerable Real State Services application processes this request without adequate input sanitization or validation for the loc parameter.
  5. The web application's backend code embeds the malicious payload directly into an SQL query that is sent to the database.
  6. The backend database executes the manipulated SQL query, which may result in sensitive data being returned in the HTTP response, or the execution of arbitrary database commands.
  7. The attacker retrieves the database's response, potentially gaining access to confidential information, modifying database records, or facilitating further system compromise.

Impact

Successful exploitation of CVE-2026-14744 grants remote, unauthenticated attackers the ability to perform SQL injection, leading to significant compromises. The primary impact includes unauthorized access to sensitive database information, such as user credentials, personal data, or proprietary business information. Attackers could also manipulate or delete data, severely affecting data integrity. In some scenarios, depending on the database configuration and type of SQL injection, remote code execution might be achievable on the server hosting the application, leading to full system compromise. With a public exploit available, the number of potential victims is high, spanning any organization or individual using the affected code-projects Real State Services 1.0 software.

Recommendation

  • Immediately apply patches or security updates for code-projects Real State Services 1.0 as they become available from the vendor, code-projects.
  • Deploy the Sigma rule provided in this brief to your SIEM/detection platform to identify attempts to exploit CVE-2026-14744.
  • Ensure web application firewalls (WAFs) are configured to detect and block common SQL injection patterns, specifically targeting the loc parameter in /normalHomeRent.php.
  • Implement strong input validation and parameterized queries in any custom web applications to prevent similar SQL injection vulnerabilities.
  • Review web server access logs for any suspicious requests targeting /normalHomeRent.php with unusual loc parameter values, especially those matching the IOCs or patterns in the Sigma rule.

Detection coverage 1

Detects CVE-2026-14744 Exploitation — SQL Injection in Real State Services

high

Detects CVE-2026-14744 exploitation — HTTP GET requests to /normalHomeRent.php with suspicious SQL injection patterns in the 'loc' query parameter, indicating an attempted remote SQL Injection.

sigma tactics: impact, initial_access techniques: T1190, T1505 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

6

url

TypeValue
urlhttps://code-projects.org/
urlhttps://github.com/6Justdododo6/CVE/issues/23
urlhttps://vuldb.com/cve/CVE-2026-14744
urlhttps://vuldb.com/submit/849260
urlhttps://vuldb.com/vuln/376330
urlhttps://vuldb.com/vuln/376330/cti