{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/smart-parking-system-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14735"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Smart Parking System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","vulnerability","web-application","php","cve"],"_cs_type":"threat","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA significant SQL injection vulnerability, tracked as CVE-2026-14735, has been discovered in version 1.0 of the code-projects Smart Parking System. The flaw resides within an unspecified function of the \u003ccode\u003e/parkings/parkings.php\u003c/code\u003e file, where improper handling of user-supplied input to the \u003ccode\u003estreet\u003c/code\u003e, \u003ccode\u003ecity\u003c/code\u003e, or \u003ccode\u003estatus\u003c/code\u003e parameters allows for remote SQL injection. This vulnerability enables unauthenticated attackers to execute arbitrary SQL commands against the backend database. Public disclosure of exploit details indicates the potential for active exploitation, with one reported consequence being the ability to perform arbitrary file reads on the underlying system, exposing sensitive data to attackers. Organizations using this system are at high risk of data breaches and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable instance of code-projects Smart Parking System 1.0 accessible via the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/parkings/parkings.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payloads within the \u003ccode\u003estreet\u003c/code\u003e, \u003ccode\u003ecity\u003c/code\u003e, or \u003ccode\u003estatus\u003c/code\u003e URL parameters, designed to bypass input validation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the unsanitized input, causing the backend database to execute the attacker's injected SQL commands.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands leverage database capabilities (e.g., \u003ccode\u003eLOAD_FILE()\u003c/code\u003e or \u003ccode\u003eUNION SELECT\u003c/code\u003e statements) to read arbitrary files from the server's file system (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application configuration files).\u003c/li\u003e\n\u003cli\u003eThe database query results, containing the contents of the requested files, are returned within the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract the sensitive file contents, achieving data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14735 could lead to significant data breaches, potentially exposing sensitive information from configuration files, system credentials, or other critical files on the server. The ability to perform arbitrary file reads allows attackers to gain reconnaissance about the system, retrieve database credentials, or even steal application source code. While the NVD does not specify victim counts or targeted sectors, any organization using the code-projects Smart Parking System 1.0 is susceptible. The public disclosure of exploit details increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch or update code-projects Smart Parking System to a non-vulnerable version if available. If no patch is available, remove the application from public access until a fix is released.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-14735 via suspicious parameters in web requests.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for HTTP GET requests to \u003ccode\u003e/parkings/parkings.php\u003c/code\u003e containing SQL injection patterns in the \u003ccode\u003estreet\u003c/code\u003e, \u003ccode\u003ecity\u003c/code\u003e, or \u003ccode\u003estatus\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) in front of affected systems and ensure it is configured to detect and block SQL injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T10:29:08Z","date_published":"2026-07-05T10:29:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14735-smart-parking-sqli/","summary":"A high-severity SQL injection vulnerability, CVE-2026-14735, exists in code-projects Smart Parking System 1.0, allowing remote attackers to manipulate the `street`, `city`, or `status` arguments in `/parkings/parkings.php` to execute arbitrary SQL queries, potentially leading to arbitrary file read and data exfiltration, with public exploit details available.","title":"CVE-2026-14735: SQL Injection Vulnerability in code-projects Smart Parking System","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14735-smart-parking-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Smart Parking System 1.0","version":"https://jsonfeed.org/version/1.1"}