CVE-2026-3819
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in SourceCodester Reservation Management Module

Publication date: 2026-03-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. Such manipulation of the argument ID leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3819
EUVD
EUVD-2026-10336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oretnom23 resort_reservation_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3819 is a stored cross-site scripting (XSS) vulnerability in the Reservation Management module of the SourceCodester Resort Reservation System version 1.0.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize or encode user-supplied input in reservation fields such as "Fullname" and "Remarks." Malicious JavaScript code injected into these fields is stored persistently in the database and later executed when the data is displayed on administrative pages.'}, {'type': 'paragraph', 'content': 'Specifically, the flaw arises from improper handling of the "ID" parameter in the URL path /?page=manage_reservation, allowing attackers to inject malicious scripts remotely.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to serious security issues including session hijacking and privilege escalation for administrators who view the affected pages.'}, {'type': 'paragraph', 'content': "An attacker can inject malicious scripts that execute in the context of the administrator's browser, potentially allowing them to steal sensitive information, manipulate data, or gain unauthorized access."}, {'type': 'paragraph', 'content': 'The attack can be launched remotely and requires some user interaction, making it a practical threat in real-world scenarios.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the Reservation Management module of the SourceCodester Resort Reservation System, specifically the URL parameter "?page=manage_reservation" with the "ID" argument. Injection of malicious JavaScript code into fields such as "Fullname" and "Remarks" can be used to verify if the input is improperly sanitized.'}, {'type': 'paragraph', 'content': 'Detection can involve sending crafted HTTP requests with script payloads in the "ID" parameter or reservation fields and observing if the scripts execute when the data is rendered on administrative pages.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test for XSS might include:'}, {'type': 'list_item', 'content': 'curl -X POST "http://target/?page=manage_reservation&ID=<script>alert(\'XSS\')</script>"'}, {'type': 'list_item', 'content': 'curl -d "Fullname=<script>alert(\'XSS\')</script>&Remarks=test" -X POST "http://target/?page=manage_reservation"'}, {'type': 'paragraph', 'content': 'If the alert or injected script executes when viewing the reservation management page, the vulnerability is present.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include avoiding the use of the affected SourceCodester Resort Reservation System version 1.0 or restricting access to the Reservation Management module to trusted users only.'}, {'type': 'paragraph', 'content': 'Since no patches or known mitigations are currently available, consider replacing the affected product with an alternative solution that properly sanitizes user input.'}, {'type': 'paragraph', 'content': 'Additionally, applying web application firewall (WAF) rules to detect and block malicious script injections targeting the "ID" parameter or reservation fields can help reduce risk.'}, {'type': 'paragraph', 'content': 'Educate administrators to avoid clicking on suspicious links or inputs that could trigger the stored XSS.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart