CVE-2026-14756
code-projects · Hotel and Tourism Reservation
A SQL injection vulnerability in the add_tour.php script of code-projects Hotel and Tourism Reservation 1.0 permits unauthenticated attackers to perform unauthorized database operations.
Executive summary
An unauthenticated SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0 creates a high risk of unauthorized database interaction and information disclosure.
Vulnerability
This is a SQL injection (CWE-89) vulnerability residing in the add_tour.php file. By failing to properly sanitize user-supplied input, the application allows an unauthenticated attacker to execute malicious SQL statements.
Business impact
The ability for an unauthenticated user to inject SQL commands poses a severe threat to data integrity and confidentiality. Given the CVSS score of 7.3, this vulnerability could be leveraged to compromise the entire reservation system, leading to significant reputational and financial consequences.
Remediation
Immediate Action: Restrict access to the add_tour.php script to authorized personnel only, and monitor the application for any signs of unauthorized configuration changes.
Proactive Monitoring: Regularly audit database transaction logs for anomalous activity or unexpected modifications to tour-related data tables.
Compensating Controls: Utilize a Web Application Firewall to intercept and sanitize malicious traffic before it reaches the add_tour.php script, effectively neutralizing the injection vector.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high-severity rating, immediate action is required to harden the application against this SQL injection risk. Security teams should implement the aforementioned compensating controls and maintain a state of heightened vigilance until a permanent patch is released by the vendor.