CVE-2026-6142
SQL Injection in tushar-2223 Hotel Management /admin/roomdelete.php
Publication date: 2026-04-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tushar-2223 | hotel_management_system | to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing session and role-based authentication checks at the start of every PHP file within the admin directory to prevent unauthenticated access.
Additionally, the code handling the id parameter should be updated to use prepared statements (such as PDO or MySQLi) to securely handle user inputs and prevent SQL injection.
Can you explain this vulnerability to me?
CVE-2026-6142 is an unauthenticated time-based blind SQL injection vulnerability in the Hotel Management System, specifically in the administrative endpoint /admin/roomdelete.php.
The vulnerability occurs because the 'id' parameter is directly concatenated into SQL queries without sanitization or parameterized queries, and the endpoint lacks session authentication controls.
This allows remote attackers to execute arbitrary SQL commands without needing to authenticate.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can exfiltrate the entire database, including administrator credentials and sensitive guest information.
They can also perform destructive actions such as deleting all room records.
Since the vulnerability is unauthenticated and remotely exploitable, it poses a critical risk to the confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by testing the administrative endpoint /admin/roomdelete.php for time-based blind SQL injection on the id parameter.
A practical way to confirm this vulnerability is to use the sqlmap tool with the following command:
- python sqlmap.py -u "http://[TARGET_IP]:[PORT]/admin/roomdelete.php?id=1" --technique=T --dbms=mysql --level=3 --risk=3 --batch --time-sec=5 --current-db
This command tests for time-based blind SQL injection and attempts to enumerate the current database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Hotel Management System allows remote attackers to exfiltrate sensitive data, including administrator credentials and guest information, without authentication.
Such unauthorized access and potential data breach can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Failure to secure sensitive guest data and administrative credentials could result in violations of these standards, exposing the organization to legal and financial penalties.