CVE-2026-14764

Code-Projects · Hotel and Tourism Reservation

A SQL injection vulnerability in the add_event.php file of Code-Projects Hotel and Tourism Reservation 1.0 allows for remote, unauthenticated database manipulation.

Executive summary

A critical SQL injection vulnerability in Code-Projects Hotel and Tourism Reservation 1.0 allows unauthenticated remote attackers to manipulate the backend database, potentially leading to full data compromise.

Vulnerability

This is a SQL injection flaw (CWE-89) located in the add_event.php file. The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious SQL commands directly into the database.

Business impact

With a CVSS score of 7.3, this vulnerability poses a severe risk to the confidentiality and integrity of the application's data. Successful exploitation could allow an attacker to dump sensitive reservation information, modify administrative records, or potentially gain unauthorized access to the underlying server environment, resulting in significant reputational and financial damage.

Remediation

Immediate Action: Given the lack of a specific patch, immediately restrict access to the add_event.php file or the entire application until a secure version is released or the code is manually sanitized.

Proactive Monitoring: Review web server access logs for unusual patterns, such as SQL keywords or URL-encoded characters in request parameters, which may indicate active exploitation attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict SQL injection protection rules to block malicious input patterns targeting the application.

Exploitation status

Public Exploit Available: True

Analyst recommendation

This vulnerability is highly dangerous due to the lack of authentication requirements and the availability of public exploit code. If this software is currently in use, it should be considered compromised until verified otherwise; isolate the application from the network until remediation is fully implemented.