Platform
php
Component
projectworlds-car-rental-system
Fixed in
1.0.1
CVE-2026-5645 describes a SQL Injection vulnerability discovered in projectworlds Car Rental System, specifically within the Parameter Handler component's /pay.php file. This vulnerability allows attackers to manipulate the 'mpesa' argument, potentially leading to unauthorized access and modification of data. The vulnerability impacts versions 1.0.0 through 1.0, and a patch is pending; mitigation strategies are detailed below.
Successful exploitation of CVE-2026-5645 allows an attacker to inject arbitrary SQL commands into the projectworlds Car Rental System. This could lead to a complete compromise of the database, enabling attackers to extract sensitive information such as user credentials, rental agreements, and financial data. Furthermore, an attacker could modify data, potentially disrupting operations or creating fraudulent records. Given the publicly available exploit, the risk of exploitation is high. The blast radius extends to all data stored within the Car Rental System's database, and a successful attack could severely damage the organization's reputation and financial stability.
CVE-2026-5645 has been publicly disclosed and an exploit is available, indicating a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's ease of exploitation, combined with the public availability of the exploit, makes it a significant risk. Organizations should prioritize patching or implementing mitigations to prevent potential attacks.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5645 is to upgrade to a patched version of projectworlds Car Rental System as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk of exploitation. These include deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the /pay.php endpoint. Additionally, implement strict input validation on the 'mpesa' parameter, ensuring it conforms to expected data types and lengths. Consider implementing parameterized queries or prepared statements to prevent SQL injection vulnerabilities. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability using a safe testing environment.
Update the Car Rental System to a patched version. Review and sanitize data input in the 'mpesa' parameter in the /pay.php file to prevent (SQL Injection). Implement appropriate validation and escaping to prevent malicious SQL code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5645 is a SQL Injection vulnerability affecting projectworlds Car Rental System versions 1.0.0–1.0. Attackers can manipulate the 'mpesa' parameter in /pay.php to inject malicious SQL code.
If you are using projectworlds Car Rental System version 1.0.0–1.0 and have not applied a patch, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of projectworlds Car Rental System. Until a patch is available, implement WAF rules and input validation as temporary mitigations.
Due to the public availability of an exploit, CVE-2026-5645 is considered to be at high risk of active exploitation.
Please refer to the projectworlds website or security mailing list for the official advisory regarding CVE-2026-5645.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.