CVE-2026-14768: Remote SQL Injection in code-projects Real State Services 1.0
A remote SQL injection vulnerability (CVE-2026-14768) has been identified in code-projects Real State Services 1.0, allowing attackers to exploit the 'loc' argument in '/builderHome.php' for arbitrary SQL command execution, with a public exploit available.
A critical remote SQL injection vulnerability, tracked as CVE-2026-14768, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the /builderHome.php file, where improper sanitization of the loc argument allows unauthenticated attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized access to the underlying database, data exfiltration, data manipulation, or potentially further system compromise. The CVSS v3.1 Base Score is 7.3 (High), and a public exploit for this vulnerability is currently available, significantly increasing the risk of widespread exploitation by various threat actors. Organizations utilizing code-projects Real State Services 1.0 should consider immediate remediation due to the ease of exploitation and potential impact.
Attack Chain
- An unauthenticated attacker crafts a malicious HTTP GET or POST request targeting the
/builderHome.phpendpoint of the vulnerable Real State Services application. - The attacker embeds SQL injection payloads within the
locargument of the HTTP request, designed to bypass input validation. - The vulnerable application processes the unsanitized
locargument directly within a backend SQL query. - The injected SQL commands are executed by the application's database, allowing the attacker to interact with the database beyond legitimate access.
- This enables the attacker to perform actions such as retrieving sensitive information (e.g., user credentials, property listings), modifying database contents, or executing arbitrary commands on the host server if the database configuration permits (e.g., via
xp_cmdshellorLOAD_FILE/INTO_OUTFILE). - The attacker achieves unauthorized access to the application's backend data or gains further control over the hosting server, leading to data compromise or system takeover.
Impact
Successful exploitation of CVE-2026-14768 grants attackers full control over the application's database. This can lead to severe consequences, including the exfiltration of sensitive real estate data, customer information, or administrative credentials. Data integrity could be compromised through unauthorized modification or deletion of records. Given the public availability of an exploit, organizations running code-projects Real State Services 1.0 face an immediate and elevated risk of data breaches, reputational damage, and potential regulatory fines. The impact on victims could range from unauthorized access to critical business information to complete compromise of the underlying server infrastructure.
Recommendation
- Immediately apply any available patches or security updates for code-projects Real State Services 1.0 to address CVE-2026-14768.
- Deploy the
Detect CVE-2026-14768 Exploitation - Real State Services SQLiSigma rule to your SIEM to detect attempted exploitation of this vulnerability. - Implement or strengthen Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and anomalous requests targeting
/builderHome.php. - Enable comprehensive web server logging and regularly review logs for suspicious HTTP requests containing SQL injection payloads, especially those targeting
/builderHome.phpwith thelocargument.
Detection coverage 1
Detect CVE-2026-14768 Exploitation - Real State Services SQLi
highDetects CVE-2026-14768 exploitation — Malicious HTTP requests to /builderHome.php with SQL injection payloads in the 'loc' argument.
Detection queries are available on the platform. Get full rules →