CVE-2026-14764
Received Received - Intake

SQL Injection in Hotel and Tourism Reservation 1.0

Vulnerability report for CVE-2026-14764, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. This impacts an unknown function of the file /admin/add_event.php of the component Event Management Page. Such manipulation of the argument fdetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-06
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14764 is a Time-based Blind SQL Injection vulnerability found in the Hotel and Tourism Reservation System PHP version 1.0. It exists in the /ht/admin/add_event.php file, specifically in the fdetails POST parameter.

This vulnerability allows an unauthenticated remote attacker to manipulate the fdetails parameter to perform SQL injection attacks without needing authentication.

Exploitation of this flaw can enable the attacker to enumerate the entire database and extract sensitive information such as credentials, potentially leading to full system compromise.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the database, such as user credentials.

An attacker can remotely exploit this flaw without authentication, which increases the risk of a full system compromise.

The compromise of sensitive data and system control can lead to data breaches, service disruption, and loss of trust.

Detection Guidance

This vulnerability is a Time-based Blind SQL Injection in the fdetails POST parameter of the /ht/admin/add_event.php file. Detection can be performed by sending crafted POST requests to this endpoint and observing response delays indicative of time-based SQL injection.

  • Use curl or similar tools to send POST requests with payloads designed to cause time delays, for example: curl -X POST -d "fdetails=1' AND IF(SLEEP(5),1,0)-- -" http://target/ht/admin/add_event.php
  • Monitor the response time; a significant delay suggests the presence of the vulnerability.
  • Use automated SQL injection detection tools that support time-based blind SQLi testing against the fdetails parameter on the specified URL.
Mitigation Strategies

Immediate mitigation involves updating the vulnerable code to use prepared statements with parameterized queries for the fdetails parameter in /ht/admin/add_event.php.

This prevents SQL injection by ensuring user input is properly handled and not directly concatenated into SQL queries.

Additionally, restrict access to the /admin/add_event.php page if possible, and monitor logs for suspicious activity.

Compliance Impact

The vulnerability allows an unauthenticated remote attacker to perform Time-based Blind SQL Injection, enabling them to enumerate the entire database and extract sensitive data such as credentials.

Such unauthorized access and potential data breach could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information.

Therefore, exploitation of this vulnerability may result in violations of data protection requirements, exposing the affected organization to legal and regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart