CVE-2026-0579 identifies a SQL Injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The vulnerability resides in the POST parameter handler within the /handgunner-administrator/edit.php script. Specifically, the parameters prod_id, name, price, model, and serial are insufficiently sanitized, allowing an attacker to inject malicious SQL commands. This injection can be performed remotely without any authentication or user interaction, making exploitation straightforward. The vulnerability could enable attackers to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized data disclosure, data modification, or deletion. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation (network attack vector, no privileges or user interaction required) but limited scope and impact (low to medium impact on confidentiality, integrity, and availability). No patches have been officially released yet, and no active exploitation has been reported, but a public exploit is available, increasing the risk of future attacks. The affected product is typically used for managing online product reservations, which may involve sensitive customer and inventory data, making the vulnerability significant for organizations relying on this system.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive customer and business data stored in the reservation system's database. This may include personal identifiable information, pricing, inventory details, and transactional records. Data integrity could be compromised, allowing attackers to alter reservation details or product information, potentially disrupting business operations and customer trust. Availability could also be affected if attackers execute destructive SQL commands, causing system downtime. Given the remote and unauthenticated nature of the exploit, attackers could target multiple organizations at scale. This is particularly concerning for e-commerce and retail sectors in Europe that rely on such reservation systems. Regulatory compliance risks also arise, especially under GDPR, due to potential data breaches involving personal data. The medium severity suggests a moderate but tangible risk that requires timely mitigation to prevent escalation or exploitation in the wild.

Organizations using code-projects Online Product Reservation System 1.0 should immediately audit their installations for this vulnerability. Since no official patch is currently available, mitigation should focus on implementing web application firewalls (WAFs) with SQL injection detection and prevention rules tailored to the vulnerable parameters (prod_id, name, price, model, serial). Input validation and parameter sanitization should be enforced at the application level, ideally by updating or rewriting the affected code to use parameterized queries or prepared statements. Restricting access to the /handgunner-administrator/edit.php endpoint via network segmentation or IP whitelisting can reduce exposure. Monitoring database logs for unusual queries and setting up alerting for suspicious activities can help detect exploitation attempts early. Organizations should also plan to upgrade or replace the vulnerable product with a secure version once available. Regular backups and incident response plans should be reviewed to minimize impact in case of a successful attack.