CVE-2026-3711
Received Received - Intake
SQL Injection in Simple Flight Ticket Booking System Adminupdate.php

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in code-projects Simple Flight Ticket Booking System 1.0. Affected is an unknown function of the file /Adminupdate.php. The manipulation of the argument flightno/airplaneid/departure/dtime/arrival/atime/ec/ep/bc/bp results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3711
EUVD
EUVD-2026-10218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carmelo simple_flight_ticket_booking_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-3711 is a critical SQL injection vulnerability found in version 1.0 of the Simple Flight Ticket Booking System, specifically in the /Adminupdate.php file.

The vulnerability arises because multiple input parameters such as flightno, airplaneid, departure, dtime, arrival, atime, ec, ep, bc, and bp are not properly sanitized or validated before being used in SQL queries.

This improper handling allows remote attackers to inject malicious SQL code, potentially manipulating the database by modifying flight records, changing prices, or executing arbitrary SQL commands.

Exploitation may require administrative authentication depending on deployment, but the attack can be executed remotely. A proof-of-concept exploit is publicly available.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to remotely execute arbitrary SQL commands on the affected system's database."}, {'type': 'list_item', 'content': 'Unauthorized modification or deletion of flight records.'}, {'type': 'list_item', 'content': 'Access to sensitive information stored in the database.'}, {'type': 'list_item', 'content': 'Potential compromise of the confidentiality, integrity, and availability of the system.'}, {'type': 'paragraph', 'content': 'Because the exploit is public and can be executed remotely, systems using this software are at risk of data breaches and operational disruption.'}] [1, 2, 4]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the vulnerable file /Adminupdate.php in the Simple Flight Ticket Booking System version 1.0 and by testing the parameters flightno, airplaneid, departure, dtime, arrival, atime, ec, ep, bc, and bp for SQL injection.'}, {'type': 'paragraph', 'content': 'One detection method is to use Google dorking with queries such as inurl:Adminupdate.php to find potentially vulnerable targets.'}, {'type': 'paragraph', 'content': "For active testing, tools like sqlmap can be used to test the 'flightno' parameter for SQL injection vulnerabilities, as demonstrated in proof-of-concept exploits."}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://target/Adminupdate.php?flightno=1" --dbms=mysql --risk=3 --level=5 --batch'}, {'type': 'list_item', 'content': 'Search for vulnerable endpoints using: google dork "inurl:Adminupdate.php"'}] [1, 4]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing the affected software with an alternative product, as no official patches or mitigations have been published.

Implementing prepared statements with parameter binding and applying strict input validation and filtering on all user inputs, especially the parameters flightno, airplaneid, departure, dtime, arrival, atime, ec, ep, bc, and bp, is strongly recommended to prevent SQL injection.

Restricting access to the /Adminupdate.php file and limiting administrative privileges can reduce the risk of exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart