CVE-2026-2553
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. This affects an unknown part of the file /home.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Name/Email results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2553
EUVD
EUVD-2026-6092
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2553 is a SQL Injection vulnerability in the tushar-2223 Hotel-Management-System, specifically in the HTTP POST request handler of the file /home.php. The vulnerability arises because user-supplied input parameters such as Name and Email are directly concatenated into an SQL INSERT query without proper input sanitization or the use of prepared statements.

An authenticated attacker can exploit this flaw by injecting arbitrary SQL code through these parameters, enabling unauthorized database interactions. The vulnerability was confirmed using a time-based blind SQL injection technique, where injecting a payload causes a significant delay in server response, proving successful exploitation.

The vulnerability affects the room reservation functionality and can be exploited remotely by an authenticated user.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected Hotel-Management-System.'}, {'type': 'list_item', 'content': 'Confidentiality: An attacker can access sensitive data stored in the database.'}, {'type': 'list_item', 'content': 'Integrity: The attacker can modify or delete data by executing arbitrary SQL commands.'}, {'type': 'list_item', 'content': "Availability: The system's availability can be disrupted, for example, through time-based SQL injection attacks causing delays or denial of service."}, {'type': 'paragraph', 'content': "Since the attack requires authentication but can be performed remotely with low complexity and no user interaction, it poses a significant risk to the system's security."}] [2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by performing an authenticated test on the room reservation functionality of the tushar-2223 Hotel-Management-System. Specifically, intercept the HTTP POST request to the /home.php endpoint and inject a time-based blind SQL payload into vulnerable parameters such as Name or Email.'}, {'type': 'paragraph', 'content': "For example, you can use a payload like: Name=Alex'+(select*from(select(sleep(10)))a)+' to test for SQL injection. If the server response time increases significantly (e.g., from about 20 ms to over 10,000 ms), it confirms the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'This detection requires logging in as a valid user, navigating to the room reservation feature, and intercepting the POST request with tools such as Burp Suite or curl combined with manual payload injection.'}] [1]

Mitigation Strategies

No known countermeasures or official mitigations have been published by the vendor, who did not respond to the disclosure.

Immediate steps include avoiding use of the affected product or replacing it with an alternative solution, as the vulnerability allows remote authenticated attackers to execute arbitrary SQL commands.

Additionally, restricting access to the affected endpoints, monitoring for suspicious activity, and applying web application firewall (WAF) rules to detect and block SQL injection attempts may help reduce risk until a patch or fix is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2553. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart