CVE-2026-0590 identifies a SQL injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The vulnerability resides in the POST parameter handler within the /app/checkout/delete.php script, specifically in the handling of the 'ID' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL commands into the backend database query. This injection flaw can allow unauthorized access to or modification of database contents, potentially leading to data leakage, unauthorized data alteration, or denial of service conditions. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector indicates low complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation by attackers. The absence of patches or mitigations from the vendor at this time necessitates immediate defensive measures by users of the affected system. The vulnerability affects only version 1.0 of the product, so upgrading or patching when available is critical. This vulnerability is typical of improper input validation and lack of parameterized queries in web applications handling user-supplied data.

For European organizations using the affected Online Product Reservation System 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their reservation data and potentially other connected systems. Exploitation could lead to unauthorized disclosure of customer information, manipulation or deletion of reservation records, and disruption of business operations. This could result in financial losses, reputational damage, and regulatory compliance issues under GDPR due to exposure of personal data. E-commerce and retail sectors relying on this system for order management are particularly vulnerable. The remote and unauthenticated nature of the exploit increases the attack surface, enabling attackers to target organizations without prior access. Although the impact is rated medium, the potential for chained attacks or further exploitation of compromised data elevates the risk. Organizations may also face legal liabilities if customer data is compromised. The lack of vendor patches means organizations must rely on internal mitigations until official fixes are released.

Organizations should immediately audit their use of the code-projects Online Product Reservation System version 1.0 and isolate affected instances. Implement strict input validation and sanitization on all user-supplied parameters, especially the 'ID' parameter in /app/checkout/delete.php. Employ parameterized queries or prepared statements to prevent SQL injection. If possible, restrict network access to the affected endpoint using firewalls or web application firewalls (WAFs) with rules designed to detect and block SQL injection patterns. Monitor logs for suspicious activity targeting the vulnerable parameter. Conduct code reviews to identify similar injection flaws elsewhere in the application. Engage with the vendor for patches or updates and plan for immediate deployment once available. Consider migrating to alternative reservation systems if patches are delayed. Educate developers on secure coding practices to prevent future injection vulnerabilities. Finally, ensure regular backups of databases to enable recovery in case of data tampering or loss.