Skip to content
Threat Feed
high advisory

CVE-2026-14769 — SQL Injection in code-projects Real State Services 1.0

A critical security vulnerability, CVE-2026-14769, allows for remote SQL Injection in code-projects Real State Services 1.0 via the 'Bankname' argument in the '/pay.php' file, with a publicly disclosed exploit enabling information disclosure and potential data manipulation.

A significant security vulnerability, CVE-2026-14769, has been identified in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the /pay.php endpoint, where inadequate sanitization of the Bankname argument permits remote SQL Injection. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the risk of widespread exploitation. Successful attacks could lead to unauthorized access to the application's underlying database, potentially compromising sensitive information, corrupting data, or impacting the availability of the service. Defenders should prioritize patching and implement robust input validation to mitigate the threat posed by this easily exploitable vulnerability.

Attack Chain

  1. An unauthenticated attacker sends a specially crafted HTTP POST or GET request to the /pay.php endpoint of the vulnerable code-projects Real State Services 1.0 application.
  2. The request includes malicious SQL injection payloads embedded within the Bankname argument, designed to manipulate the application's database queries.
  3. The application, lacking proper input validation and sanitization for the Bankname parameter, directly incorporates the attacker-supplied malicious string into its backend SQL query.
  4. This improper handling results in a classic SQL Injection vulnerability, allowing the attacker to execute arbitrary SQL commands on the application's database.
  5. Depending on the database permissions and attacker's objectives, this can lead to unauthorized information disclosure (e.g., retrieving sensitive user data, credentials, or system configurations).
  6. The attacker may also be able to modify, insert, or delete data within the database, causing data integrity issues or service disruption.
  7. In some configurations, successful SQL Injection can be escalated to arbitrary command execution on the underlying server, providing the attacker with full system control.
  8. The ultimate objective could be data exfiltration, defacement, or further lateral movement within the compromised environment.

Impact

Successful exploitation of CVE-2026-14769 grants an attacker unauthorized control over the application's database. This directly translates to a high risk of sensitive data exposure, including user credentials, financial records, or other proprietary business information. Beyond confidentiality impact, attackers can tamper with database records, leading to data integrity issues that can disrupt business operations, degrade service quality, or facilitate further fraudulent activities. While the CVSS score indicates low impact on Confidentiality, Integrity, and Availability, the nature of SQL Injection, especially with publicly available exploits, often leads to severe consequences for affected organizations across various sectors.

Recommendation

  • Patch Immediately: Apply any available patches or updates from code-projects for Real State Services 1.0 to address CVE-2026-14769.
  • Deploy WAF: Implement or update Web Application Firewall (WAF) rules to detect and block common SQL injection patterns targeting the /pay.php endpoint and the Bankname argument, leveraging the patterns defined in the Sigma rule below.
  • Input Validation: Review and enhance application-level input validation on all user-supplied data, especially the Bankname parameter within /pay.php, to prevent SQL injection.
  • Deploy Sigma Rules: Deploy the provided Sigma rule "Detects CVE-2026-14769 Exploitation — SQL Injection via /pay.php Bankname Argument" to your SIEM and tune for your environment, focusing on webserver logs.

Detection coverage 1

Detects CVE-2026-14769 Exploitation — SQL Injection via /pay.php Bankname Argument

high

Detects CVE-2026-14769 exploitation attempts targeting code-projects Real State Services 1.0 via SQL injection in the 'Bankname' argument of the '/pay.php' endpoint, indicated by common SQL payloads.

sigma tactics: impact, initial_access techniques: T1190, T1530 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

6

url

TypeValue
urlhttps://code-projects.org/
urlhttps://github.com/6Justdododo6/CVE/issues/28
urlhttps://vuldb.com/cve/CVE-2026-14769
urlhttps://vuldb.com/submit/849374
urlhttps://vuldb.com/vuln/376359
urlhttps://vuldb.com/vuln/376359/cti