CVE-2026-14762
Received Received - Intake

SQL Injection in Hotel and Tourism Reservation System

Vulnerability report for CVE-2026-14762, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was detected in code-projects Hotel and Tourism Reservation 1.0. The impacted element is an unknown function of the file /admin/rooms.php of the component Room Management Page. The manipulation of the argument delete results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects hotel_and_tourism_reservation 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14762 is a Time-based Blind SQL Injection vulnerability found in the Hotel and Tourism Reservation System PHP version 1.0. It affects the file /ht/admin/rooms.php, specifically the delete parameter in the GET request.

This vulnerability allows an attacker to send specially crafted requests remotely without needing authentication, which can trigger time delays that confirm the presence of SQL injection.

Impact Analysis

Exploitation of this vulnerability can lead to database enumeration and extraction of sensitive information such as credentials.

It can also result in full system compromise, allowing attackers to gain unauthorized access and control over the affected system.

Detection Guidance

The vulnerability can be detected by sending crafted HTTP GET requests to the /admin/rooms.php file with the delete parameter manipulated to trigger a time delay, which confirms the presence of a time-based blind SQL injection.

A typical detection method involves observing the response time differences when sending specially crafted payloads that cause the database to delay its response if the injection is successful.

For example, using curl or similar tools, you can send requests like:

  • curl "http://target/ht/admin/rooms.php?delete=1 AND IF(SLEEP(5),1,0)"
  • If the response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability.
Mitigation Strategies

The immediate mitigation step is to replace the vulnerable code handling the delete parameter in /admin/rooms.php with prepared statements using parameterized queries.

This prevents SQL injection by ensuring that user input is treated as data rather than executable code.

Additionally, restricting access to the affected endpoint and monitoring for suspicious requests can help reduce risk until a patch is applied.

Compliance Impact

The vulnerability allows remote SQL injection attacks that can lead to database enumeration and extraction of credentials and sensitive data.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information.

However, the provided resources do not explicitly discuss compliance implications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart