CVE-2026-5368 is a SQL injection vulnerability identified in the projectworlds Car Rental Project version 1.0, affecting the /login.php file's parameter handler component. The vulnerability arises from improper sanitization or validation of the 'uname' parameter, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This injection can manipulate backend database queries, potentially exposing sensitive user data, altering database contents, or disrupting application availability. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impacts on confidentiality, integrity, and availability. Although no exploits have been observed in the wild and no official patches have been released, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability specifically targets the login functionality, a critical component for authentication, which could allow attackers to bypass authentication or extract user credentials. The lack of scope change means the vulnerability affects only the vulnerable component without impacting other system components. The vulnerability is categorized as medium severity due to its potential impact balanced against the absence of known active exploitation and partial impact levels.

The SQL injection vulnerability in the login component can lead to unauthorized access to sensitive user data, including credentials and personal information, compromising confidentiality. Attackers may also modify or delete database records, affecting data integrity. Additionally, exploitation could disrupt the availability of the login service, preventing legitimate users from accessing the system. For organizations relying on the projectworlds Car Rental Project 1.0, this could result in data breaches, loss of customer trust, regulatory penalties, and operational disruptions. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks if the vulnerability is not addressed promptly. The absence of known exploits currently limits immediate impact but does not reduce the potential severity if exploited. Given the critical role of login functionality, successful exploitation could also facilitate further attacks within the network or application environment.

To mitigate this vulnerability, organizations should immediately implement input validation and sanitization on the 'uname' parameter to prevent malicious SQL code injection. Employing parameterized queries or prepared statements in the login.php code is essential to eliminate direct concatenation of user input into SQL commands. Conduct a thorough code review of all input handling in the application to identify and remediate similar vulnerabilities. Monitor application logs and network traffic for unusual or suspicious activities indicative of SQL injection attempts. If possible, restrict access to the login interface via network controls or web application firewalls (WAFs) configured with SQL injection detection rules. Since no official patch is available, consider isolating or temporarily disabling vulnerable components until a fix is released. Educate developers on secure coding practices to prevent recurrence. Finally, maintain regular backups of databases to enable recovery in case of data tampering or loss.