CVE-2026-14754

code-projects · Hotel and Tourism Reservation

A SQL injection vulnerability in the code-projects Hotel and Tourism Reservation system allows unauthenticated attackers to execute arbitrary database queries.

Executive summary

A critical SQL injection vulnerability in the code-projects Hotel and Tourism Reservation system enables unauthenticated attackers to compromise sensitive backend database information.

Vulnerability

The application fails to properly sanitize user-supplied input before using it in database queries (CWE-89, CWE-74), facilitating SQL injection attacks that can be performed by unauthenticated users.

Business impact

A successful SQL injection attack can lead to total compromise of the database, including the theft of sensitive customer information or credentials. Given the 7.3 CVSS score, this vulnerability represents a high risk to business operations, as it may result in data breaches and non-compliance with data protection regulations.

Remediation

Immediate Action: Audit the source code for vulnerable input fields and apply parameterized queries to neutralize the SQL injection vector.

Proactive Monitoring: Monitor database query logs for suspicious syntax, such as UNION SELECT statements or unauthorized access attempts to sensitive tables.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured with SQL injection protection rules to filter malicious input before it reaches the application.

Exploitation status

Public Exploit Available: false

Analyst recommendation

SQL injection remains a primary vector for data exfiltration; therefore, addressing this flaw is critical. Organizations using version 1.0 should restrict access to the application immediately and prioritize the implementation of input validation and parameterized queries.