CVE-2026-5705
Received Received - Intake

Cross-Site Scripting in code-projects Online Hotel Booking Booking Endpoint

Vulnerability report for CVE-2026-5705, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such manipulation of the argument roomname leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-04-29
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_hotel_booking 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-5705 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Online Hotel Booking System v1.0, specifically in the booking functionality at the endpoint /hotel booking/booknow.php. The vulnerability arises because the application takes the user-supplied 'roomname' parameter from HTTP GET requests and directly inserts it into the HTML response without any sanitization or output encoding.

This lack of sanitization allows an attacker to inject malicious HTML or JavaScript code, which then executes in the victim's browser when they access a crafted URL containing the malicious payload.

For example, an attacker can craft a URL that includes a script tag in the 'roomname' parameter, causing arbitrary JavaScript to run in the user's browser.

Impact Analysis

This vulnerability can have several impacts on users and the application, including:

  • Execution of arbitrary JavaScript code in users' browsers.
  • Theft of session cookies, which can lead to user session hijacking.
  • Unauthorized actions performed on behalf of users without their consent.
  • Redirecting users to malicious websites.
  • Facilitating phishing attacks by injecting deceptive content.
Detection Guidance

This vulnerability can be detected by testing the booking endpoint /booknow.php with crafted HTTP GET requests that inject JavaScript code into the roomname parameter.

A simple detection method is to send a request with a payload such as <script>alert(1)</script> in the roomname parameter and observe if the script executes in the response.

Example command using curl to test the vulnerability:

  • curl -i "http://localhost/hotel%20booking/booknow.php?roomname=<script>alert(1)</script>"

If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include properly encoding user input before rendering it in HTML to prevent script execution.

  • Use PHP's htmlspecialchars() function to encode the roomname parameter, for example: echo htmlspecialchars($roomname, ENT_QUOTES, 'UTF-8');
  • Validate and sanitize all user inputs to reject unexpected or malicious characters.
  • Implement Content Security Policy (CSP) headers to restrict the sources of executable scripts, e.g., Content-Security-Policy: default-src 'self'

These steps help prevent the execution of injected scripts and reduce the risk of cross-site scripting attacks.

Compliance Impact

The vulnerability described is a Reflected Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript in users' browsers, which can lead to session hijacking, unauthorized actions, and phishing attacks.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, compromise user privacy, and fail to ensure adequate protection of user information.

Specifically, GDPR requires organizations to implement appropriate technical measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. An XSS vulnerability that allows session hijacking or data theft could be considered a failure to meet these requirements.

Similarly, HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). An XSS vulnerability could enable attackers to access or manipulate ePHI, thus violating HIPAA security rules.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart