Skip to main content

Real State Services

6 CVEs product

Monthly

CVE-2026-14769 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14747 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14746 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14745 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14744 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14743 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy