CVE-2026-0575 identifies a SQL injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The vulnerability resides in the Administrator Login module, specifically in the /handgunner-administrator/adminlogin.php script. The issue arises due to improper sanitization or validation of input parameters 'emailadd' and 'pass', which are used in SQL queries without adequate protection against injection attacks. An attacker can remotely supply crafted input to these parameters, causing the backend SQL query to execute unintended commands. This can lead to unauthorized data retrieval, modification, or deletion within the database. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is low but present, as the attacker may gain limited database access or manipulation capabilities. No official patches or fixes have been linked yet, and no known exploits are reported in the wild. However, public disclosure increases the likelihood of exploitation attempts. Organizations using this product should assess their exposure and implement mitigations promptly.

The SQL injection vulnerability allows remote attackers to manipulate backend database queries through the administrator login interface, potentially leading to unauthorized access to sensitive reservation data or administrative credentials. This can compromise confidentiality by exposing private user or business data, integrity by allowing unauthorized modification of records, and availability if attackers delete or corrupt database entries. Although the impact is rated low to medium, exploitation could facilitate further attacks such as privilege escalation or lateral movement within the affected environment. Organizations relying on this product for online reservations may face operational disruptions, data breaches, and reputational damage. The lack of authentication or user interaction requirements increases the risk of automated exploitation attempts. Given the public disclosure, threat actors may develop exploits targeting vulnerable installations, especially in environments where this software is widely deployed.

1. Immediately review and apply any official patches or updates from the vendor once available. 2. If patches are not yet available, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'emailadd' and 'pass' parameters on the /handgunner-administrator/adminlogin.php endpoint. 3. Employ input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. 4. Restrict access to the administrator login page by IP whitelisting or VPN to reduce exposure. 5. Monitor logs for suspicious login attempts or unusual query patterns indicative of injection attempts. 6. Conduct regular security assessments and penetration testing focusing on injection flaws. 7. Educate developers and administrators about secure coding practices and the risks of unsanitized input. 8. Consider isolating the affected system within a segmented network zone to limit potential lateral movement in case of compromise.