CVE-2026-0575 identifies a SQL injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The vulnerability exists in the administrator login functionality, specifically in the /handgunner-administrator/adminlogin.php file, where the parameters emailadd and pass are improperly sanitized. This allows an unauthenticated remote attacker to inject malicious SQL code through these parameters, potentially manipulating backend database queries. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. The impact includes unauthorized access to sensitive data, modification or deletion of database records, and potential disruption of service. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public exploits are currently observed in the wild, the public disclosure increases the risk of exploitation. The lack of available patches necessitates immediate mitigation efforts by affected organizations. This vulnerability highlights the critical need for secure coding practices such as input validation and use of parameterized queries in web applications handling authentication.

For European organizations using the affected Online Product Reservation System 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their reservation data and administrative controls. Exploitation could lead to unauthorized access to customer and business data, manipulation of reservation records, or complete administrative takeover. This could result in financial losses, reputational damage, and regulatory penalties under GDPR due to data breaches. The ability to exploit remotely without authentication increases the threat level, especially for organizations exposing the admin login interface to the internet. E-commerce and retail sectors relying on this system may face operational disruptions and loss of customer trust. Additionally, attackers could leverage this vulnerability as a foothold for further network compromise. The medium severity rating suggests a moderate but actionable threat, emphasizing the need for timely remediation to avoid escalation.

1. Immediately restrict access to the /handgunner-administrator/adminlogin.php interface by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Apply input validation and sanitization on all user-supplied parameters, especially emailadd and pass, to prevent injection of malicious SQL code. 3. Refactor the authentication code to use parameterized queries or prepared statements instead of dynamic SQL concatenation. 4. Monitor web server and application logs for suspicious login attempts or unusual query patterns indicative of SQL injection attempts. 5. If possible, upgrade to a patched or newer version of the Online Product Reservation System once available. 6. Conduct a thorough security audit of the application and database to identify and remediate any other injection points. 7. Implement Web Application Firewall (WAF) rules tailored to detect and block SQL injection payloads targeting the admin login endpoint. 8. Educate development and operations teams on secure coding practices and the importance of regular vulnerability assessments.