Skip to content
Threat Feed
high advisory

CVE-2026-14747: SQL Injection in code-projects Real State Services 1.0

A high-severity SQL Injection vulnerability, CVE-2026-14747, exists in the /addprojectsale.php file of code-projects Real State Services 1.0, allowing remote unauthenticated attackers to manipulate the 'amen' argument for arbitrary SQL query execution, leading to data compromise or unauthorized access.

A critical SQL Injection vulnerability, tracked as CVE-2026-14747, has been identified in version 1.0 of the code-projects Real State Services application. This flaw resides within an unspecified function of the /addprojectsale.php file, where improper handling of user-supplied input to the amen argument allows for remote, unauthenticated attackers to inject and execute arbitrary SQL commands. This enables attackers to bypass security measures, extract sensitive information from the underlying database, or potentially achieve further system compromise depending on the database's privileges. The vulnerability was publicly disclosed on July 5, 2026, by VulDB and is a significant concern for organizations using this specific version of the Real State Services application, as exploitation can lead to severe data breaches.

Attack Chain

  1. An unauthenticated attacker identifies a web-facing instance of code-projects Real State Services 1.0.
  2. The attacker crafts a specially designed HTTP POST request targeting the /addprojectsale.php endpoint.
  3. This request includes a malicious SQL injection payload within the amen parameter, bypassing input validation.
  4. The vulnerable application processes the request, incorporating the unsanitized amen parameter value directly into a database query.
  5. The backend SQL database executes the attacker-supplied malicious SQL commands, leading to unauthorized access.
  6. Successful exploitation allows the attacker to read, modify, or delete database contents, extract sensitive data, or potentially establish persistence (e.g., by writing a web shell if sufficient database privileges exist).
  7. The attacker then proceeds with data exfiltration or further compromise of the affected web server.

Impact

Successful exploitation of CVE-2026-14747 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain complete control over the application's database, leading to unauthorized disclosure of sensitive customer data, property listings, or internal operational information. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption. The remote and unauthenticated nature of the vulnerability means that any internet-exposed instance of the application is at risk, potentially affecting numerous small to medium-sized businesses in the real estate sector.

Recommendation

  • Immediately update code-projects Real State Services to a patched version once available to remediate CVE-2026-14747.
  • Deploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against CVE-2026-14747.
  • Review web server logs for suspicious activity targeting /addprojectsale.php with SQL injection patterns.
  • Implement a Web Application Firewall (WAF) in front of the application to filter and block malicious SQL injection payloads.

Detection coverage 1

Detects CVE-2026-14747 Exploitation — SQL Injection in Real State Services

high

Detects CVE-2026-14747 exploitation attempts via SQL injection in the 'amen' argument of /addprojectsale.php in code-projects Real State Services 1.0. This looks for common SQL keywords and delimiters.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →