CVE-2026-0592 identifies a SQL injection vulnerability in the Online Product Reservation System version 1.0 developed by code-projects. The vulnerability resides in the User Registration Handler component, specifically within the /handgunner-administrator/register_code.php file. Multiple input parameters related to user registration—such as fname, lname, address, city, province, country, zip, tel_no, email, and username—are not properly sanitized or validated, allowing an attacker to inject malicious SQL code. This injection flaw enables remote attackers to manipulate backend database queries without requiring authentication or user interaction, potentially leading to unauthorized data disclosure, data modification, or denial of service. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the public availability of exploit code increases the likelihood of attacks. The vulnerability affects only version 1.0 of the product, and no official patches or updates have been linked yet. Organizations using this system should conduct immediate security assessments and implement mitigations to prevent exploitation.

The SQL injection vulnerability in the Online Product Reservation System can have significant impacts on affected organizations. Attackers exploiting this flaw can gain unauthorized access to sensitive customer data stored in the backend database, including personal identifiable information (PII) such as names, addresses, contact details, and usernames. This compromises confidentiality and can lead to data breaches, regulatory penalties, and reputational damage. Additionally, attackers may alter or delete data, affecting data integrity and disrupting business operations. In some cases, SQL injection can be leveraged to execute administrative commands on the database server, potentially leading to full system compromise and availability issues. Given the remote exploitability without authentication, attackers can target vulnerable systems at scale. The public release of exploit code increases the risk of automated attacks and exploitation by less skilled threat actors. Organizations relying on this product for online reservations or e-commerce transactions face risks of financial loss, customer trust erosion, and operational downtime.

To mitigate CVE-2026-0592, organizations should first verify if they are running version 1.0 of the code-projects Online Product Reservation System. Immediate steps include: 1) Implementing input validation and sanitization on all user-supplied data fields related to registration, especially fname, lname, address, city, province, country, zip, tel_no, email, and username, using parameterized queries or prepared statements to prevent SQL injection. 2) Applying web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the vulnerable endpoints. 3) Restricting database user permissions to the minimum necessary to limit the impact of potential injection attacks. 4) Monitoring logs for suspicious activity related to the registration handler and unusual database queries. 5) Segregating the database and application servers to reduce lateral movement risk. 6) Contacting the vendor for patches or updates and applying them promptly once available. 7) Conducting regular security assessments and penetration testing focused on injection vulnerabilities. 8) Educating developers on secure coding practices to prevent similar vulnerabilities in future versions.