CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

Executive Summary

A SQL injection vulnerability (CVE-2026-5637) has been identified in projectworlds Car Rental System 1.0, a widely used open-source web application for vehicle rental management. The vulnerability resides in the /message_admin.php file within the Parameter Handler component. Manipulation of the Message argument allows an attacker to inject arbitrary SQL into the underlying database query.

The flaw is remotely exploitable over the network with no authentication required and has been assigned a CVSS v3.1 score of 7.3 (High).

CVSS Score: 7.3 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-5637
CVSS Score	7.3 (High)
Type	SQL Injection
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality / Integrity / Availability	Low / Low / Low
Published	2026-04-06
Source	NVD / NIST

Affected Products

Product	Version	Component	Status
projectworlds Car Rental System	1.0	message_admin.php	Vulnerable

Technical Details

Vulnerability Description

The Parameter Handler in message_admin.php fails to properly sanitize user-supplied input before incorporating it into a SQL query. Specifically, the Message parameter is passed directly (or with insufficient filtering) into a database query, allowing an attacker to append SQL syntax that alters query logic.

Attack Mechanics

SQL injection vulnerabilities arise when user input is concatenated into a SQL query without parameterization or escaping. In this case:

POST /message_admin.php HTTP/1.1
Host: target.example.com
 
Message=Hello' OR '1'='1

A crafted payload in the Message parameter can cause the database engine to:

Bypass authentication logic built on query results
Enumerate database tables, columns, and data via UNION-based or error-based injection
Extract sensitive records including user credentials, booking data, and personal information
Write files to the server (if FILE privilege is granted to the database user)
Execute operating system commands via database-side features (e.g., MySQL xp_cmdshell equivalent or UDF abuse in certain configurations)

Exploitation Prerequisites

Network reachability to the web server hosting the Car Rental System
No authentication or account required
Standard HTTP client (browser, curl, SQLMap)

Impact Assessment

Impact Area	Description
Data Exposure	Customer PII, booking records, payment data, and admin credentials may be extracted
Authentication Bypass	Admin panels may be accessible without valid credentials
Database Manipulation	Attackers can insert, update, or delete records
Potential RCE	In environments with elevated DB privileges, command execution may be achievable
Reputational Harm	Exposure of customer data creates liability under GDPR and similar regulations

Recommendations

Immediate Mitigations

Apply parameterized queries / prepared statements — Replace all string-concatenated SQL in message_admin.php with parameterized queries using PDO or MySQLi prepared statements
Input validation — Enforce server-side type and length validation on all user inputs before processing
Least-privilege DB accounts — Ensure the application's database user has only SELECT, INSERT, UPDATE permissions; revoke FILE and SUPER if granted
Web Application Firewall (WAF) — Deploy a WAF rule to detect and block SQLi patterns targeting message_admin.php
Monitor database logs — Enable and review slow query logs and error logs for anomalous query patterns

Code-Level Fix (PHP Example)

Replace vulnerable concatenation:

// VULNERABLE — DO NOT USE
$query = "SELECT * FROM messages WHERE message = '" . $_POST['Message'] . "'";

With a parameterized prepared statement:

// SECURE
$stmt = $pdo->prepare("SELECT * FROM messages WHERE message = ?");
$stmt->execute([$_POST['Message']]);

Detection Indicators

Indicator	Description
Unusual SQL keywords in HTTP POST bodies	`UNION`, `SELECT`, `OR 1=1`, `--` in `Message` parameter
Repeated 500 errors from message_admin.php	Error-based SQLi probing
Abnormally large response bodies	Data exfiltration via UNION injection
SQLMap tool signatures in User-Agent	Automated exploitation attempts
Unexpected database user activity	Non-application queries executed against the DB

References

Executive Summary

The flaw is remotely exploitable over the network with no authentication required and has been assigned a CVSS v3.1 score of 7.3 (High).

CVSS Score: 7.3 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-5637
CVSS Score	7.3 (High)
Type	SQL Injection
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality / Integrity / Availability	Low / Low / Low
Published	2026-04-06
Source	NVD / NIST

Affected Products

Product	Version	Component	Status
projectworlds Car Rental System	1.0	message_admin.php	Vulnerable

Technical Details

Vulnerability Description

Attack Mechanics

SQL injection vulnerabilities arise when user input is concatenated into a SQL query without parameterization or escaping. In this case:

POST /message_admin.php HTTP/1.1
Host: target.example.com
 
Message=Hello' OR '1'='1

A crafted payload in the Message parameter can cause the database engine to:

Bypass authentication logic built on query results
Enumerate database tables, columns, and data via UNION-based or error-based injection
Extract sensitive records including user credentials, booking data, and personal information
Write files to the server (if FILE privilege is granted to the database user)
Execute operating system commands via database-side features (e.g., MySQL xp_cmdshell equivalent or UDF abuse in certain configurations)

Exploitation Prerequisites

Network reachability to the web server hosting the Car Rental System
No authentication or account required
Standard HTTP client (browser, curl, SQLMap)

Impact Assessment

Impact Area	Description
Data Exposure	Customer PII, booking records, payment data, and admin credentials may be extracted
Authentication Bypass	Admin panels may be accessible without valid credentials
Database Manipulation	Attackers can insert, update, or delete records
Potential RCE	In environments with elevated DB privileges, command execution may be achievable
Reputational Harm	Exposure of customer data creates liability under GDPR and similar regulations

Recommendations

Immediate Mitigations

Apply parameterized queries / prepared statements — Replace all string-concatenated SQL in message_admin.php with parameterized queries using PDO or MySQLi prepared statements
Input validation — Enforce server-side type and length validation on all user inputs before processing
Least-privilege DB accounts — Ensure the application's database user has only SELECT, INSERT, UPDATE permissions; revoke FILE and SUPER if granted
Web Application Firewall (WAF) — Deploy a WAF rule to detect and block SQLi patterns targeting message_admin.php
Monitor database logs — Enable and review slow query logs and error logs for anomalous query patterns

Code-Level Fix (PHP Example)

Replace vulnerable concatenation:

// VULNERABLE — DO NOT USE
$query = "SELECT * FROM messages WHERE message = '" . $_POST['Message'] . "'";

With a parameterized prepared statement:

// SECURE
$stmt = $pdo->prepare("SELECT * FROM messages WHERE message = ?");
$stmt->execute([$_POST['Message']]);

Detection Indicators

Indicator	Description
Unusual SQL keywords in HTTP POST bodies	`UNION`, `SELECT`, `OR 1=1`, `--` in `Message` parameter
Repeated 500 errors from message_admin.php	Error-based SQLi probing
Abnormally large response bodies	Data exfiltration via UNION injection
SQLMap tool signatures in User-Agent	Automated exploitation attempts
Unexpected database user activity	Non-application queries executed against the DB

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Vulnerability Description

Attack Mechanics

Exploitation Prerequisites

Impact Assessment

Recommendations

Immediate Mitigations

Code-Level Fix (PHP Example)

Detection Indicators

References

CVE-2026-5534 — SQL Injection in itsourcecode Online Enrollment System 1.0

CVE-2026-5540 — SQL Injection in code-projects Simple Laundry System 1.0

CVE-2019-25662: ResourceSpace 8.6 Unauthenticated SQL Injection

CVE-2026-5637: SQL Injection in projectworlds Car Rental System 1.0

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Vulnerability Description

Attack Mechanics

Exploitation Prerequisites

Impact Assessment

Recommendations

Immediate Mitigations

Code-Level Fix (PHP Example)

Detection Indicators

References

CVE-2026-5534 — SQL Injection in itsourcecode Online Enrollment System 1.0

CVE-2026-5540 — SQL Injection in code-projects Simple Laundry System 1.0

CVE-2019-25662: ResourceSpace 8.6 Unauthenticated SQL Injection