Security Advisory - Published 2026-07-06 - PHP / MySQL Apps
code-projects real estate and hotel batch: remove demo apps from public hosting and review database logs
This batch covers multiple SQL injection records in code-projects Real State Services 1.0 and Hotel and Tourism Reservation 1.0. These projects are often copied into shared hosting or school/demo environments; do not leave them on public production domains.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-14754 | code-projects Hotel and Tourism Reservation | 1.0 | room records and admin logs | 7.5 |
| CVE-2026-14755 | code-projects Hotel and Tourism Reservation | 1.0 | reservation records and admin logs | 7.5 |
| CVE-2026-14756 | code-projects Hotel and Tourism Reservation | 1.0 | tour records and admin logs | 7.5 |
| CVE-2026-14762 | code-projects Hotel and Tourism Reservation | 1.0 | room records and admin logs | 7.5 |
| CVE-2026-14763 | code-projects Hotel and Tourism Reservation | 1.0 | tour reservation records and admin logs | 7.5 |
| CVE-2026-14764 | code-projects Hotel and Tourism Reservation | 1.0 | event records and admin logs | 7.5 |
| CVE-2026-14743 | code-projects Real State Services | 1.0 | property listing requests and database logs | 7.5 |
| CVE-2026-14744 | code-projects Real State Services | 1.0 | property listing requests and database logs | 7.5 |
| CVE-2026-14745 | code-projects Real State Services | 1.0 | property detail requests and database logs | 7.5 |
| CVE-2026-14746 | code-projects Real State Services | 1.0 | project creation logs and database changes | 7.5 |
| CVE-2026-14747 | code-projects Real State Services | 1.0 | project creation logs and database changes | 7.5 |
| CVE-2026-14768 | code-projects Real State Services | 1.0 | builder records and database logs | 7.5 |
| CVE-2026-14769 | code-projects Real State Services | 1.0 | payment records and database logs | 7.5 |
What to check
- Public domains, staging hosts, subfolders, and shared hosting accounts that still serve the affected code-projects apps.
- Property listing, project creation, payment, room, reservation, tour, and event administration flows.
- Database errors, changed property/reservation records, unexpected admin activity, and new exports.
- Backups and database snapshots before cleanup, especially when the app has real customer or booking data.
Safe fix path
- Remove unsupported demo apps from public hosting before reviewing data.
- Preserve web access logs, PHP error logs, database logs, and a database snapshot.
- Review property, booking, payment, room, tour, and event records for unexpected changes.
- Migrate production workflows to maintained software instead of patching copied demo code in place.
Compromise indicators
- Repeated requests to listing, booking, project, or administration pages with unusual input length.
- Database errors, missing records, changed prices, changed bookings, or unexpected payment records.
- New administrator sessions, backup downloads, or exports outside the normal maintenance window.
- Demo folders reappearing after cleanup because old backups were restored.
When to ask Ping7 for repair
Use Ping7 CVE Repair when a demo PHP app is public, booking or property data may have changed, or cleanup needs database review before removal.