CVE-2026-0591 identifies a SQL injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The flaw exists in the /app/checkout/update.php file within the Cart Update Handler component, where the id and qty parameters are not properly sanitized before being used in SQL queries. This lack of input validation allows an attacker to craft malicious SQL statements that can be executed by the backend database. The vulnerability can be exploited remotely without requiring authentication or user interaction, making it accessible to a wide range of attackers. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, and the relatively low complexity of exploitation. Although no confirmed exploits are currently active in the wild, publicly available exploit code increases the risk of future attacks. The vulnerability could allow attackers to extract sensitive customer data, modify reservation records, or disrupt service availability. The absence of patches at the time of disclosure necessitates immediate mitigation efforts focused on input validation and query parameterization. Organizations relying on this product for online reservations or e-commerce should assess their exposure and implement compensating controls until official patches are released.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive customer and transactional data, resulting in data breaches and potential regulatory non-compliance under GDPR. Integrity of reservation and order data could be compromised, leading to fraudulent transactions or service manipulation. Availability of the reservation system might be affected if attackers execute disruptive SQL commands, causing downtime or degraded service performance. The reputational damage and financial losses from such incidents could be significant, especially for businesses heavily reliant on online sales and reservations. Additionally, the public availability of exploit code increases the likelihood of opportunistic attacks targeting vulnerable systems. Organizations operating in sectors such as retail, hospitality, and logistics across Europe should be particularly vigilant, as these industries commonly use reservation and e-commerce platforms.

To mitigate this vulnerability, organizations should immediately implement strict input validation and sanitization for all parameters, especially id and qty, in the affected update.php script. Employing prepared statements with parameterized queries is critical to prevent SQL injection. Until an official patch is released by code-projects, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. Conduct thorough code reviews and security testing of the reservation system to identify and remediate similar injection points. Monitor logs for suspicious database query patterns or unusual application behavior indicative of exploitation attempts. Restrict database user privileges to the minimum necessary to limit the impact of a successful injection. Finally, maintain up-to-date backups of reservation data to enable recovery in case of data corruption or loss.