CVE-2026-14755

code-projects · Hotel and Tourism Reservation

A SQL injection vulnerability exists in the add_event.php file of code-projects Hotel and Tourism Reservation 1.0, enabling unauthenticated remote attackers to execute arbitrary SQL queries.

Executive summary

An unauthenticated SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0 exposes the underlying database to unauthorized manipulation and potential data exfiltration.

Vulnerability

The application is susceptible to SQL injection (CWE-89) within the add_event.php script. An unauthenticated attacker can supply crafted input to this parameter, resulting in the execution of unauthorized database commands.

Business impact

Exploitation of this vulnerability allows an attacker to interact directly with the application database, potentially leading to the theft of reservation records or administrative credentials. With a CVSS score of 7.3, the vulnerability presents a high risk to business operations, necessitating immediate defensive measures to prevent unauthorized data access.

Remediation

Immediate Action: As no patch is currently available, restrict network access to the add_event.php endpoint to authorized internal users only.

Proactive Monitoring: Review database logs for unusual query activity or errors originating from the add_event.php script that suggest injection attempts.

Compensating Controls: Deploy WAF rules specifically designed to detect and block SQL injection payloads targeting input parameters used in the event management module.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The presence of a high-severity SQL injection vulnerability requires immediate attention to protect the application backend. Administrators should apply perimeter security measures immediately to mitigate the risk until an official vendor update is provided.