CVE-2026-13557
Received Received - Intake

Cross-Site Scripting in Online Hotel Management System 1.0

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was identified in itsourcecode Online Hotel Management System 1.0. This vulnerability affects unknown code of the file /admin/mod_room/controller.php?action=add of the component POST Request Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13557
EUVD
EUVD-2026-40061

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode online_hotel_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Online Hotel Management System version 1.0, specifically in the file /admin/mod_room/controller.php. It occurs because the application does not properly escape or sanitize user input in the 'name' field of a POST request. An attacker can inject malicious scripts that get stored permanently in the database. When this data is later displayed on a webpage without proper sanitization, the malicious script executes in the victim's browser.

The attack can be launched remotely without any authentication, making it easier for attackers to exploit.

Impact Analysis

Exploitation of this vulnerability allows attackers to execute malicious scripts in the context of the victim's browser. This can lead to harmful actions such as stealing user cookies, hijacking user sessions, and conducting phishing attacks.

Because the malicious code is stored in the system and served to users, it can affect multiple users over time, increasing the potential damage.

Detection Guidance

This vulnerability can be detected by testing the POST request handler at the endpoint /admin/mod_room/controller.php?action=add, specifically by injecting malicious scripts into the "name" parameter and observing if the input is stored and later executed without sanitization.

A practical detection method is to send a POST request with a payload such as "<img src=x onerror=alert(2)>" in the "name" field and then check if the script executes when the stored data is viewed.

Example command using curl to test the vulnerability:

  • curl -X POST -d "name=<img src=x onerror=alert(2)>" https://[target]/admin/mod_room/controller.php?action=add

After sending this request, verify if the injected script executes when the room data is displayed in the application, indicating the presence of the stored XSS vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and sanitization on the "name" parameter to prevent malicious scripts from being stored.

Additionally, apply output encoding when displaying stored data to ensure that any injected scripts are not executed by the browser.

Filtering or escaping special characters in user inputs and employing security best practices such as Content Security Policy (CSP) can further reduce the risk.

No authentication is required to exploit this vulnerability, so these measures should be prioritized to prevent remote attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart