{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/real-estate/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14745"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Real State Services 1.0"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","sql-injection","cve","real-estate","vulnerability"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA severe SQL injection vulnerability, identified as CVE-2026-14745, has been discovered in version 1.0 of the code-projects Real State Services application. The flaw resides within an unknown function associated with the \u003ccode\u003e/single-list_rent.php\u003c/code\u003e file, where improper sanitization of the \u003ccode\u003eID\u003c/code\u003e argument allows unauthenticated attackers to inject and execute arbitrary SQL commands. This remote exploit poses a significant risk as it can be initiated without prior authentication, and a proof-of-concept exploit has been publicly disclosed, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing robust input validation to prevent attackers from compromising sensitive database information, modifying records, or potentially achieving remote code execution on the underlying server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker discovers or targets a web server running code-projects Real State Services 1.0, potentially using publicly available exploit information for CVE-2026-14745.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the vulnerable \u003ccode\u003e/single-list_rent.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eA carefully constructed SQL injection payload is embedded within the \u003ccode\u003eID\u003c/code\u003e URL parameter (e.g., \u003ccode\u003e/single-list_rent.php?ID=\u0026lt;SQL_PAYLOAD\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable application component processes the \u003ccode\u003eID\u003c/code\u003e parameter without adequate input validation or sanitization, leading to the concatenation and execution of the attacker's SQL query by the backend database.\u003c/li\u003e\n\u003cli\u003eDepending on the injected payload, the database executes commands such as extracting sensitive data (e.g., user credentials, property listings, application configuration) or modifying existing records.\u003c/li\u003e\n\u003cli\u003eThe application's HTTP response, designed to display rental property details, inadvertently includes the results of the executed SQL query, allowing the attacker to exfiltrate the targeted data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized access to confidential information, can manipulate application data, or potentially escalate privileges to achieve remote code execution on the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14745 allows remote, unauthenticated attackers to gain unauthorized access to the application's underlying database. This can lead to the full compromise of sensitive data, including but not limited to user credentials, personal identifiable information of clients, property listings, and administrative records, directly affecting confidentiality. Attackers could also modify database contents, leading to data integrity issues such as altering property details or transaction records. In some cases, SQL injection vulnerabilities can be leveraged for remote code execution on the server, allowing for full system compromise. The availability of a public exploit significantly increases the risk of widespread attacks against organizations using this Real Estate Services application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch code-projects Real State Services 1.0 to a secure version if available, or remove the application from public access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious web requests to \u003ccode\u003e/single-list_rent.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to block known SQL injection patterns and monitor for attempts to exploit CVE-2026-14745, specifically traffic targeting \u003ccode\u003e/single-list_rent.php\u003c/code\u003e with suspicious \u003ccode\u003eID\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for \u003ccode\u003ecs-uri-stem\u003c/code\u003e containing \u003ccode\u003e/single-list_rent.php\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e containing SQL injection indicators (e.g., quotes, comments, boolean operators) to identify past or ongoing exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T12:20:55Z","date_published":"2026-07-05T12:20:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/","summary":"A critical SQL injection vulnerability (CVE-2026-14745) affecting code-projects Real State Services version 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands by manipulating the 'ID' argument in the '/single-list_rent.php' file, potentially leading to data exposure, unauthorized modification, or denial of service, with a public exploit available.","title":"CVE-2026-14745: SQL Injection in code-projects Real State Services","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Real-Estate","version":"https://jsonfeed.org/version/1.1"}