Security Advisory - Published 2026-07-06 - PHP / MySQL Apps

code-projects real estate and hotel batch: remove demo apps from public hosting and review database logs

This batch covers multiple SQL injection records in code-projects Real State Services 1.0 and Hotel and Tourism Reservation 1.0. These projects are often copied into shared hosting or school/demo environments; do not leave them on public production domains.

Defensive scope: check systems you own or are approved to repair. This page covers exposure, logs, data review, and removal decisions.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-14754code-projects Hotel and Tourism Reservation1.0room records and admin logs7.5
CVE-2026-14755code-projects Hotel and Tourism Reservation1.0reservation records and admin logs7.5
CVE-2026-14756code-projects Hotel and Tourism Reservation1.0tour records and admin logs7.5
CVE-2026-14762code-projects Hotel and Tourism Reservation1.0room records and admin logs7.5
CVE-2026-14763code-projects Hotel and Tourism Reservation1.0tour reservation records and admin logs7.5
CVE-2026-14764code-projects Hotel and Tourism Reservation1.0event records and admin logs7.5
CVE-2026-14743code-projects Real State Services1.0property listing requests and database logs7.5
CVE-2026-14744code-projects Real State Services1.0property listing requests and database logs7.5
CVE-2026-14745code-projects Real State Services1.0property detail requests and database logs7.5
CVE-2026-14746code-projects Real State Services1.0project creation logs and database changes7.5
CVE-2026-14747code-projects Real State Services1.0project creation logs and database changes7.5
CVE-2026-14768code-projects Real State Services1.0builder records and database logs7.5
CVE-2026-14769code-projects Real State Services1.0payment records and database logs7.5

What to check

  • Public domains, staging hosts, subfolders, and shared hosting accounts that still serve the affected code-projects apps.
  • Property listing, project creation, payment, room, reservation, tour, and event administration flows.
  • Database errors, changed property/reservation records, unexpected admin activity, and new exports.
  • Backups and database snapshots before cleanup, especially when the app has real customer or booking data.

Safe fix path

  1. Remove unsupported demo apps from public hosting before reviewing data.
  2. Preserve web access logs, PHP error logs, database logs, and a database snapshot.
  3. Review property, booking, payment, room, tour, and event records for unexpected changes.
  4. Migrate production workflows to maintained software instead of patching copied demo code in place.

Compromise indicators

  • Repeated requests to listing, booking, project, or administration pages with unusual input length.
  • Database errors, missing records, changed prices, changed bookings, or unexpected payment records.
  • New administrator sessions, backup downloads, or exports outside the normal maintenance window.
  • Demo folders reappearing after cleanup because old backups were restored.

When to ask Ping7 for repair

Use Ping7 CVE Repair when a demo PHP app is public, booking or property data may have changed, or cleanup needs database review before removal.

References