CVE-2026-6142

Received Received - Intake

SQL Injection in tushar-2223 Hotel Management /admin/roomdelete.php

Publication date: 2026-04-13

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-13

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-13

EPSS Evaluated

2026-06-15

NVD

CVE-2026-6142

EUVD

EUVD-2026-21770

Affected Vendors & Products

Vendor	Product	Version / Range
tushar-2223	hotel_management_system	to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Mitigation Strategies

Immediate mitigation steps include enforcing session and role-based authentication checks at the start of every PHP file within the admin directory to prevent unauthenticated access.

Additionally, the code handling the id parameter should be updated to use prepared statements (such as PDO or MySQLi) to securely handle user inputs and prevent SQL injection.

Executive Summary

CVE-2026-6142 is an unauthenticated time-based blind SQL injection vulnerability in the Hotel Management System, specifically in the administrative endpoint /admin/roomdelete.php.

The vulnerability occurs because the 'id' parameter is directly concatenated into SQL queries without sanitization or parameterized queries, and the endpoint lacks session authentication controls.

This allows remote attackers to execute arbitrary SQL commands without needing to authenticate.

Impact Analysis

An attacker exploiting this vulnerability can exfiltrate the entire database, including administrator credentials and sensitive guest information.

They can also perform destructive actions such as deleting all room records.

Since the vulnerability is unauthenticated and remotely exploitable, it poses a critical risk to the confidentiality, integrity, and availability of the system.

Detection Guidance

The vulnerability can be detected by testing the administrative endpoint /admin/roomdelete.php for time-based blind SQL injection on the id parameter.

A practical way to confirm this vulnerability is to use the sqlmap tool with the following command:

python sqlmap.py -u "http://[TARGET_IP]:[PORT]/admin/roomdelete.php?id=1" --technique=T --dbms=mysql --level=3 --risk=3 --batch --time-sec=5 --current-db

This command tests for time-based blind SQL injection and attempts to enumerate the current database.

Compliance Impact

The SQL injection vulnerability in the Hotel Management System allows remote attackers to exfiltrate sensitive data, including administrator credentials and guest information, without authentication.

Such unauthorized access and potential data breach can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Failure to secure sensitive guest data and administrative credentials could result in violations of these standards, exposing the organization to legal and financial penalties.

Hi! I’m here to help you understand CVE-2026-6142. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-6142

SQL Injection in tushar-2223 Hotel Management /admin/roomdelete.php

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart