EUVD-2026-19221
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A weakness has been identified in projectworlds Car Rental System 1.0. Affected by this vulnerability is an unknown functionality of the file /pay.php of the component Parameter Handler. Executing a manipulation of the argument mpesa can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Analysis
SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to manipulate database queries via the mpesa parameter in /pay.php. The vulnerability carries a CVSS score of 7.3 with network-based exploitation requiring low complexity and no user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
24 hours: Identify all instances of projectworlds Car Rental System 1.0 in production and isolate affected systems from public internet access or disable the /pay.php endpoint if business-critical functionality permits. 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the mpesa parameter; escalate to projectworlds for patch timeline and interim security guidance. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today