CVE-2026-3806
SQL Injection in SourceCodester Janobe Resort Reservation System
Publication date: 2026-03-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | resort_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3806 is a SQL injection vulnerability in the janobe Resort Reservation System version 1.0, specifically in the file room_rates.php. The vulnerability arises from improper handling of the "q" parameter, which allows an attacker to inject malicious SQL code into the database query.'}, {'type': 'paragraph', 'content': 'This flaw enables multiple types of SQL injection attacks including boolean-based blind, error-based, time-based blind, and UNION-based SQL injection techniques against a MySQL backend. Exploiting this vulnerability can allow attackers to access or manipulate the database remotely without authentication.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and manipulation of the database used by the resort reservation system. Attackers can extract sensitive information, modify data, or disrupt the availability of the system.
Because the exploit is publicly available and can be triggered remotely without authentication, it increases the risk of active exploitation, potentially compromising the confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the "q" parameter in the URI of the /room_rates.php file for SQL injection using various SQLi techniques.'}, {'type': 'list_item', 'content': "Boolean-based blind SQL injection: Use a payload like `' AND 5229=5229#` to confirm injection by evaluating a true condition."}, {'type': 'list_item', 'content': "Error-based SQL injection: Use a payload such as `' AND GTID_SUBSET(CONCAT(0x716a6b6b71,(SELECT (ELT(4510=4510,1))),0x7176626271),4510)--` to trigger error messages revealing data."}, {'type': 'list_item', 'content': "Time-based blind SQL injection: Use a payload like `' AND (SELECT 8576 FROM (SELECT(SLEEP(5)))nhcE)--` to detect injection by observing a delay in response time."}, {'type': 'list_item', 'content': "UNION-based SQL injection: Use a payload such as `' UNION ALL SELECT CONCAT(0x716a6b6b71,0x4f72526478424179595444425270714371725a7648766b5147444c48617161654d69666771574d57,0x7176626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#` to extract data by combining query results."}] [1]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been reported for this vulnerability.
It is suggested to replace the affected software with an alternative product to avoid exploitation.