{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/public-exploit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14746"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","cve","webserver","public-exploit"],"_cs_type":"threat","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA high-severity SQL injection vulnerability, identified as CVE-2026-14746, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the \u003ccode\u003e/addprojectrent.php\u003c/code\u003e endpoint, where an attacker can manipulate the \u003ccode\u003eamen\u003c/code\u003e argument to inject and execute arbitrary SQL commands. The vulnerability is remotely exploitable and does not require authentication, making it a critical threat. Public disclosure of the exploit increases the likelihood of active exploitation in the wild. This vulnerability could lead to unauthorized access to sensitive data, modification of database contents, or potentially complete compromise of the affected web application's data. Organizations running this specific application version are strongly advised to take immediate remediation steps.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an internet-facing instance of code-projects Real State Services 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/addprojectrent.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker injects SQL payloads into the \u003ccode\u003eamen\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the \u003ccode\u003eamen\u003c/code\u003e argument without adequate input validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL payload is then executed directly within the application's backend database.\u003c/li\u003e\n\u003cli\u003eThis successful injection allows the attacker to read, modify, or delete sensitive data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may also be able to gain unauthorized administrative access or exfiltrate confidential information, leading to data breaches.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14746 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain full control over the application's database, allowing them to steal sensitive user data, property listings, or financial information. They could also manipulate or deface the website, insert malicious content, or compromise the integrity of the real estate listings. Given that the exploit has been publicly disclosed, organizations running this application are at an elevated risk of immediate data breaches, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply any available patches or updates provided by code-projects for Real State Services 1.0 to address CVE-2026-14746.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all user-supplied data, specifically focusing on the \u003ccode\u003eamen\u003c/code\u003e argument in \u003ccode\u003e/addprojectrent.php\u003c/code\u003e, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) to detect and block malicious HTTP requests containing SQL injection payloads, protecting against CVE-2026-14746.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-14746 Exploitation — SQL Injection in Real State Services\u0026quot; to your SIEM and tune for your environment to identify attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:21:44Z","date_published":"2026-07-05T12:21:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-code-projects-real-state-services-sql-injection/","summary":"A high-severity SQL injection vulnerability (CVE-2026-14746) exists in code-projects Real State Services 1.0, specifically in the `/addprojectrent.php` file, where the `amen` argument can be manipulated to execute arbitrary SQL commands, enabling remote attackers to achieve unauthorized data access or modification, with public exploit disclosure increasing the risk of active exploitation.","title":"CVE-2026-14746: SQL Injection in code-projects Real State Services","url":"https://feed.craftedsignal.io/briefs/2026-07-code-projects-real-state-services-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Public-Exploit","version":"https://jsonfeed.org/version/1.1"}