CVE-2026-14755
Received Received - Intake

SQL Injection in Hotel and Tourism Reservation System

Vulnerability report for CVE-2026-14755, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/reservations.php of the component Reservations Management Page. The manipulation of the argument delete leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14755 is a Time-based Blind SQL Injection vulnerability found in the Hotel and Tourism Reservation System PHP version 1.0. It exists in the /ht/admin/reservations.php file, specifically through the 'delete' GET parameter.

This vulnerability allows an unauthenticated remote attacker to manipulate the 'delete' argument to perform SQL injection attacks without needing to log in.

Exploitation can cause a delay in server response, which can be used to infer information from the database, such as enumerating the entire database and extracting sensitive data like credentials.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the database, such as user credentials.

An attacker can remotely exploit this flaw without authentication, potentially leading to full system compromise.

The attack can disrupt normal operations by manipulating database queries, which may affect data integrity and availability.

Detection Guidance

This vulnerability can be detected by testing the /admin/reservations.php endpoint for SQL injection via the delete GET parameter. A common method is to send specially crafted requests that induce a time delay in the server response, indicating a Time-based Blind SQL Injection.

  • Use curl or similar tools to send requests with payloads that cause a delay, for example: curl "http://target/ht/admin/reservations.php?delete=1 AND IF(SUBSTRING((SELECT database()),1,1)='a',SLEEP(6),0)"
  • Observe if the server response is delayed significantly (e.g., 6 seconds), which suggests the presence of the vulnerability.
  • Automated vulnerability scanners that support time-based blind SQL injection detection can also be used to identify this issue.
Mitigation Strategies

Immediate mitigation involves fixing the SQL injection vulnerability by using prepared statements with parameterized queries in the /admin/reservations.php file to handle the delete parameter safely.

Additionally, restrict or implement authentication and authorization checks on the Reservations Management Page to prevent unauthenticated remote exploitation.

If a patch or updated version is available, apply it promptly to remediate the vulnerability.

As a temporary measure, consider blocking or filtering suspicious requests targeting the delete parameter at the web application firewall or network perimeter.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform SQL injection attacks, potentially extracting sensitive data such as credentials and compromising the entire system.

Such unauthorized access and data extraction can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to the exposure and compromise of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart