{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/real-state-services-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14769"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA significant security vulnerability, CVE-2026-14769, has been identified in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the \u003ccode\u003e/pay.php\u003c/code\u003e endpoint, where inadequate sanitization of the \u003ccode\u003eBankname\u003c/code\u003e argument permits remote SQL Injection. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the risk of widespread exploitation. Successful attacks could lead to unauthorized access to the application's underlying database, potentially compromising sensitive information, corrupting data, or impacting the availability of the service. Defenders should prioritize patching and implement robust input validation to mitigate the threat posed by this easily exploitable vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted HTTP POST or GET request to the \u003ccode\u003e/pay.php\u003c/code\u003e endpoint of the vulnerable code-projects Real State Services 1.0 application.\u003c/li\u003e\n\u003cli\u003eThe request includes malicious SQL injection payloads embedded within the \u003ccode\u003eBankname\u003c/code\u003e argument, designed to manipulate the application's database queries.\u003c/li\u003e\n\u003cli\u003eThe application, lacking proper input validation and sanitization for the \u003ccode\u003eBankname\u003c/code\u003e parameter, directly incorporates the attacker-supplied malicious string into its backend SQL query.\u003c/li\u003e\n\u003cli\u003eThis improper handling results in a classic SQL Injection vulnerability, allowing the attacker to execute arbitrary SQL commands on the application's database.\u003c/li\u003e\n\u003cli\u003eDepending on the database permissions and attacker's objectives, this can lead to unauthorized information disclosure (e.g., retrieving sensitive user data, credentials, or system configurations).\u003c/li\u003e\n\u003cli\u003eThe attacker may also be able to modify, insert, or delete data within the database, causing data integrity issues or service disruption.\u003c/li\u003e\n\u003cli\u003eIn some configurations, successful SQL Injection can be escalated to arbitrary command execution on the underlying server, providing the attacker with full system control.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective could be data exfiltration, defacement, or further lateral movement within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14769 grants an attacker unauthorized control over the application's database. This directly translates to a high risk of sensitive data exposure, including user credentials, financial records, or other proprietary business information. Beyond confidentiality impact, attackers can tamper with database records, leading to data integrity issues that can disrupt business operations, degrade service quality, or facilitate further fraudulent activities. While the CVSS score indicates low impact on Confidentiality, Integrity, and Availability, the nature of SQL Injection, especially with publicly available exploits, often leads to severe consequences for affected organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Apply any available patches or updates from code-projects for Real State Services 1.0 to address CVE-2026-14769.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy WAF\u003c/strong\u003e: Implement or update Web Application Firewall (WAF) rules to detect and block common SQL injection patterns targeting the \u003ccode\u003e/pay.php\u003c/code\u003e endpoint and the \u003ccode\u003eBankname\u003c/code\u003e argument, leveraging the patterns defined in the Sigma rule below.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInput Validation\u003c/strong\u003e: Review and enhance application-level input validation on all user-supplied data, especially the \u003ccode\u003eBankname\u003c/code\u003e parameter within \u003ccode\u003e/pay.php\u003c/code\u003e, to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rules\u003c/strong\u003e: Deploy the provided Sigma rule \u0026quot;Detects CVE-2026-14769 Exploitation — SQL Injection via /pay.php Bankname Argument\u0026quot; to your SIEM and tune for your environment, focusing on webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T21:24:19Z","date_published":"2026-07-05T21:24:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14769-sql-injection-real-state-services/","summary":"A critical security vulnerability, CVE-2026-14769, allows for remote SQL Injection in code-projects Real State Services 1.0 via the 'Bankname' argument in the '/pay.php' file, with a publicly disclosed exploit enabling information disclosure and potential data manipulation.","title":"CVE-2026-14769 — SQL Injection in code-projects Real State Services 1.0","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14769-sql-injection-real-state-services/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14768"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","sql-injection","php","cve"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA critical remote SQL injection vulnerability, tracked as CVE-2026-14768, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the \u003ccode\u003e/builderHome.php\u003c/code\u003e file, where improper sanitization of the \u003ccode\u003eloc\u003c/code\u003e argument allows unauthenticated attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized access to the underlying database, data exfiltration, data manipulation, or potentially further system compromise. The CVSS v3.1 Base Score is 7.3 (High), and a public exploit for this vulnerability is currently available, significantly increasing the risk of widespread exploitation by various threat actors. Organizations utilizing code-projects Real State Services 1.0 should consider immediate remediation due to the ease of exploitation and potential impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/builderHome.php\u003c/code\u003e endpoint of the vulnerable Real State Services application.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds SQL injection payloads within the \u003ccode\u003eloc\u003c/code\u003e argument of the HTTP request, designed to bypass input validation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the unsanitized \u003ccode\u003eloc\u003c/code\u003e argument directly within a backend SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands are executed by the application's database, allowing the attacker to interact with the database beyond legitimate access.\u003c/li\u003e\n\u003cli\u003eThis enables the attacker to perform actions such as retrieving sensitive information (e.g., user credentials, property listings), modifying database contents, or executing arbitrary commands on the host server if the database configuration permits (e.g., via \u003ccode\u003exp_cmdshell\u003c/code\u003e or \u003ccode\u003eLOAD_FILE/INTO_OUTFILE\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized access to the application's backend data or gains further control over the hosting server, leading to data compromise or system takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14768 grants attackers full control over the application's database. This can lead to severe consequences, including the exfiltration of sensitive real estate data, customer information, or administrative credentials. Data integrity could be compromised through unauthorized modification or deletion of records. Given the public availability of an exploit, organizations running code-projects Real State Services 1.0 face an immediate and elevated risk of data breaches, reputational damage, and potential regulatory fines. The impact on victims could range from unauthorized access to critical business information to complete compromise of the underlying server infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply any available patches or security updates for code-projects Real State Services 1.0 to address CVE-2026-14768.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-14768 Exploitation - Real State Services SQLi\u003c/code\u003e Sigma rule to your SIEM to detect attempted exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement or strengthen Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and anomalous requests targeting \u003ccode\u003e/builderHome.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging and regularly review logs for suspicious HTTP requests containing SQL injection payloads, especially those targeting \u003ccode\u003e/builderHome.php\u003c/code\u003e with the \u003ccode\u003eloc\u003c/code\u003e argument.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T20:23:33Z","date_published":"2026-07-05T20:23:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14768-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-14768) has been identified in code-projects Real State Services 1.0, allowing attackers to exploit the 'loc' argument in '/builderHome.php' for arbitrary SQL command execution, with a public exploit available.","title":"CVE-2026-14768: Remote SQL Injection in code-projects Real State Services 1.0","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14768-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14747"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-exploitation","cve","php","real-state"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA critical SQL Injection vulnerability, tracked as CVE-2026-14747, has been identified in version 1.0 of the code-projects Real State Services application. This flaw resides within an unspecified function of the \u003ccode\u003e/addprojectsale.php\u003c/code\u003e file, where improper handling of user-supplied input to the \u003ccode\u003eamen\u003c/code\u003e argument allows for remote, unauthenticated attackers to inject and execute arbitrary SQL commands. This enables attackers to bypass security measures, extract sensitive information from the underlying database, or potentially achieve further system compromise depending on the database's privileges. The vulnerability was publicly disclosed on July 5, 2026, by VulDB and is a significant concern for organizations using this specific version of the Real State Services application, as exploitation can lead to severe data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a web-facing instance of code-projects Real State Services 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially designed HTTP POST request targeting the \u003ccode\u003e/addprojectsale.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThis request includes a malicious SQL injection payload within the \u003ccode\u003eamen\u003c/code\u003e parameter, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the request, incorporating the unsanitized \u003ccode\u003eamen\u003c/code\u003e parameter value directly into a database query.\u003c/li\u003e\n\u003cli\u003eThe backend SQL database executes the attacker-supplied malicious SQL commands, leading to unauthorized access.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to read, modify, or delete database contents, extract sensitive data, or potentially establish persistence (e.g., by writing a web shell if sufficient database privileges exist).\u003c/li\u003e\n\u003cli\u003eThe attacker then proceeds with data exfiltration or further compromise of the affected web server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14747 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain complete control over the application's database, leading to unauthorized disclosure of sensitive customer data, property listings, or internal operational information. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption. The remote and unauthenticated nature of the vulnerability means that any internet-exposed instance of the application is at risk, potentially affecting numerous small to medium-sized businesses in the real estate sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update code-projects Real State Services to a patched version once available to remediate CVE-2026-14747.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against CVE-2026-14747.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious activity targeting \u003ccode\u003e/addprojectsale.php\u003c/code\u003e with SQL injection patterns.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) in front of the application to filter and block malicious SQL injection payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T13:21:42Z","date_published":"2026-07-05T13:21:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14747-sql-injection/","summary":"A high-severity SQL Injection vulnerability, CVE-2026-14747, exists in the /addprojectsale.php file of code-projects Real State Services 1.0, allowing remote unauthenticated attackers to manipulate the 'amen' argument for arbitrary SQL query execution, leading to data compromise or unauthorized access.","title":"CVE-2026-14747: SQL Injection in code-projects Real State Services 1.0","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14747-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14746"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","webserver","public-exploit"],"_cs_type":"threat","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA high-severity SQL injection vulnerability, identified as CVE-2026-14746, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the \u003ccode\u003e/addprojectrent.php\u003c/code\u003e endpoint, where an attacker can manipulate the \u003ccode\u003eamen\u003c/code\u003e argument to inject and execute arbitrary SQL commands. The vulnerability is remotely exploitable and does not require authentication, making it a critical threat. Public disclosure of the exploit increases the likelihood of active exploitation in the wild. This vulnerability could lead to unauthorized access to sensitive data, modification of database contents, or potentially complete compromise of the affected web application's data. Organizations running this specific application version are strongly advised to take immediate remediation steps.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an internet-facing instance of code-projects Real State Services 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/addprojectrent.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker injects SQL payloads into the \u003ccode\u003eamen\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the \u003ccode\u003eamen\u003c/code\u003e argument without adequate input validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL payload is then executed directly within the application's backend database.\u003c/li\u003e\n\u003cli\u003eThis successful injection allows the attacker to read, modify, or delete sensitive data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may also be able to gain unauthorized administrative access or exfiltrate confidential information, leading to data breaches.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14746 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain full control over the application's database, allowing them to steal sensitive user data, property listings, or financial information. They could also manipulate or deface the website, insert malicious content, or compromise the integrity of the real estate listings. Given that the exploit has been publicly disclosed, organizations running this application are at an elevated risk of immediate data breaches, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply any available patches or updates provided by code-projects for Real State Services 1.0 to address CVE-2026-14746.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all user-supplied data, specifically focusing on the \u003ccode\u003eamen\u003c/code\u003e argument in \u003ccode\u003e/addprojectrent.php\u003c/code\u003e, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) to detect and block malicious HTTP requests containing SQL injection payloads, protecting against CVE-2026-14746.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-14746 Exploitation — SQL Injection in Real State Services\u0026quot; to your SIEM and tune for your environment to identify attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:21:44Z","date_published":"2026-07-05T12:21:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-code-projects-real-state-services-sql-injection/","summary":"A high-severity SQL injection vulnerability (CVE-2026-14746) exists in code-projects Real State Services 1.0, specifically in the `/addprojectrent.php` file, where the `amen` argument can be manipulated to execute arbitrary SQL commands, enabling remote attackers to achieve unauthorized data access or modification, with public exploit disclosure increasing the risk of active exploitation.","title":"CVE-2026-14746: SQL Injection in code-projects Real State Services","url":"https://feed.craftedsignal.io/briefs/2026-07-code-projects-real-state-services-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14745"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","sql-injection","cve","real-estate","vulnerability"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA severe SQL injection vulnerability, identified as CVE-2026-14745, has been discovered in version 1.0 of the code-projects Real State Services application. The flaw resides within an unknown function associated with the \u003ccode\u003e/single-list_rent.php\u003c/code\u003e file, where improper sanitization of the \u003ccode\u003eID\u003c/code\u003e argument allows unauthenticated attackers to inject and execute arbitrary SQL commands. This remote exploit poses a significant risk as it can be initiated without prior authentication, and a proof-of-concept exploit has been publicly disclosed, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing robust input validation to prevent attackers from compromising sensitive database information, modifying records, or potentially achieving remote code execution on the underlying server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker discovers or targets a web server running code-projects Real State Services 1.0, potentially using publicly available exploit information for CVE-2026-14745.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the vulnerable \u003ccode\u003e/single-list_rent.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eA carefully constructed SQL injection payload is embedded within the \u003ccode\u003eID\u003c/code\u003e URL parameter (e.g., \u003ccode\u003e/single-list_rent.php?ID=\u0026lt;SQL_PAYLOAD\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable application component processes the \u003ccode\u003eID\u003c/code\u003e parameter without adequate input validation or sanitization, leading to the concatenation and execution of the attacker's SQL query by the backend database.\u003c/li\u003e\n\u003cli\u003eDepending on the injected payload, the database executes commands such as extracting sensitive data (e.g., user credentials, property listings, application configuration) or modifying existing records.\u003c/li\u003e\n\u003cli\u003eThe application's HTTP response, designed to display rental property details, inadvertently includes the results of the executed SQL query, allowing the attacker to exfiltrate the targeted data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized access to confidential information, can manipulate application data, or potentially escalate privileges to achieve remote code execution on the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14745 allows remote, unauthenticated attackers to gain unauthorized access to the application's underlying database. This can lead to the full compromise of sensitive data, including but not limited to user credentials, personal identifiable information of clients, property listings, and administrative records, directly affecting confidentiality. Attackers could also modify database contents, leading to data integrity issues such as altering property details or transaction records. In some cases, SQL injection vulnerabilities can be leveraged for remote code execution on the server, allowing for full system compromise. The availability of a public exploit significantly increases the risk of widespread attacks against organizations using this Real Estate Services application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch code-projects Real State Services 1.0 to a secure version if available, or remove the application from public access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious web requests to \u003ccode\u003e/single-list_rent.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to block known SQL injection patterns and monitor for attempts to exploit CVE-2026-14745, specifically traffic targeting \u003ccode\u003e/single-list_rent.php\u003c/code\u003e with suspicious \u003ccode\u003eID\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for \u003ccode\u003ecs-uri-stem\u003c/code\u003e containing \u003ccode\u003e/single-list_rent.php\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e containing SQL injection indicators (e.g., quotes, comments, boolean operators) to identify past or ongoing exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:20:55Z","date_published":"2026-07-05T12:20:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/","summary":"A critical SQL injection vulnerability (CVE-2026-14745) affecting code-projects Real State Services version 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands by manipulating the 'ID' argument in the '/single-list_rent.php' file, potentially leading to data exposure, unauthorized modification, or denial of service, with a public exploit available.","title":"CVE-2026-14745: SQL Injection in code-projects Real State Services","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14744"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["web-exploitation","sql-injection","cve-2026-14744","initial-access","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability, identified as CVE-2026-14744, has been discovered in \u003ccode\u003ecode-projects Real State Services\u003c/code\u003e version 1.0. This flaw, published on July 5, 2026, resides within an unspecified function of the \u003ccode\u003e/normalHomeRent.php\u003c/code\u003e file. An unauthenticated, remote attacker can exploit this vulnerability by manipulating the \u003ccode\u003eloc\u003c/code\u003e argument in an HTTP GET request, bypassing security controls and enabling direct interaction with the backend database. The public release of an exploit significantly escalates the risk, making this an immediate and high-priority concern for organizations utilizing this software. Successful exploitation can lead to unauthorized access to sensitive data, data manipulation, or, in severe cases, remote code execution on the underlying server, severely impacting data confidentiality, integrity, and system availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an internet-facing instance of \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the vulnerable \u003ccode\u003e/normalHomeRent.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a specifically engineered SQL injection payload embedded within the \u003ccode\u003eloc\u003c/code\u003e URL parameter (e.g., \u003ccode\u003eloc=' UNION SELECT NULL,version(),NULL,NULL-- -\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eReal State Services\u003c/code\u003e application processes this request without adequate input sanitization or validation for the \u003ccode\u003eloc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe web application's backend code embeds the malicious payload directly into an SQL query that is sent to the database.\u003c/li\u003e\n\u003cli\u003eThe backend database executes the manipulated SQL query, which may result in sensitive data being returned in the HTTP response, or the execution of arbitrary database commands.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the database's response, potentially gaining access to confidential information, modifying database records, or facilitating further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14744 grants remote, unauthenticated attackers the ability to perform SQL injection, leading to significant compromises. The primary impact includes unauthorized access to sensitive database information, such as user credentials, personal data, or proprietary business information. Attackers could also manipulate or delete data, severely affecting data integrity. In some scenarios, depending on the database configuration and type of SQL injection, remote code execution might be achievable on the server hosting the application, leading to full system compromise. With a public exploit available, the number of potential victims is high, spanning any organization or individual using the affected \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply patches or security updates for \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e as they become available from the vendor, \u003ccode\u003ecode-projects\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM/detection platform to identify attempts to exploit CVE-2026-14744.\u003c/li\u003e\n\u003cli\u003eEnsure web application firewalls (WAFs) are configured to detect and block common SQL injection patterns, specifically targeting the \u003ccode\u003eloc\u003c/code\u003e parameter in \u003ccode\u003e/normalHomeRent.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and parameterized queries in any custom web applications to prevent similar SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for any suspicious requests targeting \u003ccode\u003e/normalHomeRent.php\u003c/code\u003e with unusual \u003ccode\u003eloc\u003c/code\u003e parameter values, especially those matching the IOCs or patterns in the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:19:55Z","date_published":"2026-07-05T12:19:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14744-sql-injection/","summary":"A critical SQL injection vulnerability (CVE-2026-14744) has been found in code-projects Real State Services version 1.0. The flaw resides in an unknown function within the /normalHomeRent.php file, where manipulating the 'loc' argument allows for remote SQL injection, and a public exploit has been released, posing an immediate threat to affected systems.","title":"CVE-2026-14744: Remote SQL Injection in code-projects Real State Services 1.0","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14744-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14743"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","webserver","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA high-severity SQL injection vulnerability, tracked as CVE-2026-14743, has been identified in \u003ccode\u003ecode-projects Real State Services version 1.0\u003c/code\u003e. The flaw specifically resides in an unknown function within the \u003ccode\u003e/normalHomeSale.php\u003c/code\u003e file. Attackers can exploit this vulnerability remotely and without authentication by manipulating the 'loc' argument, embedding malicious SQL queries directly into database commands. This can lead to unauthorized access, modification, or deletion of sensitive database information. The existence of a publicly available exploit significantly increases the risk of this vulnerability being actively abused by malicious actors, making immediate patching or mitigation crucial for any organization using the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies an internet-facing instance of \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: The attacker sends a crafted HTTP GET or POST request to the vulnerable \u003ccode\u003e/normalHomeSale.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation\u003c/strong\u003e: The attacker includes a specially malformed SQL injection payload within the \u003ccode\u003eloc\u003c/code\u003e parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer-Side Processing\u003c/strong\u003e: The vulnerable application processes the request, embedding the attacker-controlled \u003ccode\u003eloc\u003c/code\u003e parameter directly into an SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSQL Injection\u003c/strong\u003e: The database server executes the manipulated SQL query, granting the attacker unauthorized database access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Compromise\u003c/strong\u003e: The attacker can then exfiltrate sensitive data (e.g., user credentials, financial information), modify existing records, or inject new data into the database.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: This leads to a compromise of data confidentiality, integrity, and potentially availability, depending on the attacker's objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14743 could lead to severe consequences for organizations running \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e. Attackers can gain complete control over the application's database, allowing for the exfiltration of sensitive user data, modification of application content, or even complete data destruction. The impact extends to potential financial losses due to data breaches, reputational damage, and service disruption. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14743\u003c/strong\u003e: Immediately apply any available patches or updates for \u003ccode\u003ecode-projects Real State Services 1.0\u003c/code\u003e as advised by the vendor. If no patch is available, remove or decommission the affected service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Application Firewall (WAF)\u003c/strong\u003e: Implement or update WAF rules to detect and block common SQL injection patterns, especially targeting the \u003ccode\u003e/normalHomeSale.php\u003c/code\u003e endpoint and \u003ccode\u003eloc\u003c/code\u003e parameter, which can help prevent exploitation of CVE-2026-14743.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rule\u003c/strong\u003e: Deploy the provided Sigma rule \u0026quot;Detect CVE-2026-14743 Exploitation - SQL Injection in Real State Services\u0026quot; to your SIEM/detection platform.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Webserver Logging\u003c/strong\u003e: Ensure comprehensive web server logging for HTTP requests, including \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters, to enable detection of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:18:59Z","date_published":"2026-07-05T12:18:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14743-sql-injection/","summary":"A high-severity remote SQL injection vulnerability (CVE-2026-14743) in code-projects Real State Services 1.0 allows an unauthenticated attacker to manipulate the 'loc' argument in the `/normalHomeSale.php` file, leading to arbitrary SQL command execution and potential compromise of confidentiality, integrity, and availability of data, with an exploit publicly available.","title":"CVE-2026-14743: Remote SQL Injection in code-projects Real State Services 1.0","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14743-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Real State Services 1.0","version":"https://jsonfeed.org/version/1.1"}