CVE-2026-13554
Received Received - Intake

Cross-Site Scripting in Online Hotel Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13554
EUVD
EUVD-2026-40065

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode online_hotel_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-13554 vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Online Hotel Management System version 1.0. It occurs in the file "/admin/mod_amenities/controller.php" where the application fails to properly sanitize or validate user input submitted via POST requests, specifically the "name" field.

Attackers can exploit this vulnerability by injecting malicious scripts into the "name" argument, which are then stored in the database's "amenities" table. When the system later retrieves and displays this data without proper escaping, the injected scripts execute in the victim's browser.

This can lead to actions such as stealing user cookies, hijacking sessions, or conducting phishing attacks. The attack can be initiated remotely and does not require any login or authorization.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of users who view the affected data. This can lead to theft of sensitive information such as cookies and session tokens, which can be used to hijack user accounts.

Additionally, attackers may use this vulnerability to perform phishing attacks or other malicious activities that compromise user trust and system integrity.

Since the exploit can be performed remotely without authentication, it poses a significant security risk to both administrators and users of the system.

Detection Guidance

This vulnerability can be detected by testing the POST request to the endpoint /admin/mod_amenities/controller.php?action=add, specifically by injecting typical XSS payloads into the "name" parameter and observing if the input is stored and executed when retrieved.

For example, you can use curl to send a test payload to the vulnerable parameter:

  • curl -X POST -d "name=<img src=x onerror=alert(2)>" http://target-site/admin/mod_amenities/controller.php?action=add

If the payload is stored and later executed when viewing the amenities, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and sanitization on the "name" parameter to prevent malicious scripts from being stored.

Additionally, output encoding should be applied when displaying the stored data to ensure that any injected scripts are not executed by the browser.

Character filtering to remove or escape special characters commonly used in XSS attacks is also recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart