<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Real-Estate - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/real-estate/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 12:20:55 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/real-estate/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14745: SQL Injection in code-projects Real State Services</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/</link><pubDate>Sun, 05 Jul 2026 12:20:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14745-sql-injection/</guid><description>A critical SQL injection vulnerability (CVE-2026-14745) affecting code-projects Real State Services version 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands by manipulating the 'ID' argument in the '/single-list_rent.php' file, potentially leading to data exposure, unauthorized modification, or denial of service, with a public exploit available.</description><content:encoded><![CDATA[<p>A severe SQL injection vulnerability, identified as CVE-2026-14745, has been discovered in version 1.0 of the code-projects Real State Services application. The flaw resides within an unknown function associated with the <code>/single-list_rent.php</code> file, where improper sanitization of the <code>ID</code> argument allows unauthenticated attackers to inject and execute arbitrary SQL commands. This remote exploit poses a significant risk as it can be initiated without prior authentication, and a proof-of-concept exploit has been publicly disclosed, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing robust input validation to prevent attackers from compromising sensitive database information, modifying records, or potentially achieving remote code execution on the underlying server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker discovers or targets a web server running code-projects Real State Services 1.0, potentially using publicly available exploit information for CVE-2026-14745.</li>
<li>The attacker crafts a malicious HTTP GET request targeting the vulnerable <code>/single-list_rent.php</code> endpoint.</li>
<li>A carefully constructed SQL injection payload is embedded within the <code>ID</code> URL parameter (e.g., <code>/single-list_rent.php?ID=&lt;SQL_PAYLOAD&gt;</code>).</li>
<li>The vulnerable application component processes the <code>ID</code> parameter without adequate input validation or sanitization, leading to the concatenation and execution of the attacker's SQL query by the backend database.</li>
<li>Depending on the injected payload, the database executes commands such as extracting sensitive data (e.g., user credentials, property listings, application configuration) or modifying existing records.</li>
<li>The application's HTTP response, designed to display rental property details, inadvertently includes the results of the executed SQL query, allowing the attacker to exfiltrate the targeted data.</li>
<li>The attacker achieves unauthorized access to confidential information, can manipulate application data, or potentially escalate privileges to achieve remote code execution on the underlying server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14745 allows remote, unauthenticated attackers to gain unauthorized access to the application's underlying database. This can lead to the full compromise of sensitive data, including but not limited to user credentials, personal identifiable information of clients, property listings, and administrative records, directly affecting confidentiality. Attackers could also modify database contents, leading to data integrity issues such as altering property details or transaction records. In some cases, SQL injection vulnerabilities can be leveraged for remote code execution on the server, allowing for full system compromise. The availability of a public exploit significantly increases the risk of widespread attacks against organizations using this Real Estate Services application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch code-projects Real State Services 1.0 to a secure version if available, or remove the application from public access.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious web requests to <code>/single-list_rent.php</code>.</li>
<li>Implement a Web Application Firewall (WAF) to block known SQL injection patterns and monitor for attempts to exploit CVE-2026-14745, specifically traffic targeting <code>/single-list_rent.php</code> with suspicious <code>ID</code> parameters.</li>
<li>Review web server access logs for <code>cs-uri-stem</code> containing <code>/single-list_rent.php</code> and <code>cs-uri-query</code> containing SQL injection indicators (e.g., quotes, comments, boolean operators) to identify past or ongoing exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>sql-injection</category><category>cve</category><category>real-estate</category><category>vulnerability</category></item></channel></rss>