CVE-2026-14762
code-projects · Hotel and Tourism Reservation
A SQL injection vulnerability exists in the rooms.php component of code-projects Hotel and Tourism Reservation 1.0, allowing unauthenticated remote attackers to compromise database integrity.
Executive summary
An unauthenticated SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0 poses a significant risk of unauthorized database access and data manipulation.
Vulnerability
This vulnerability is a SQL injection (CWE-89) flaw located in the rooms.php file. It allows an unauthenticated attacker to inject malicious SQL commands into the application's database, potentially bypassing existing security controls.
Business impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive reservation data, loss of confidentiality, and potential modification of system records. Given the CVSS score of 7.3, this is classified as a High-severity issue that could result in significant operational disruption and data breach risks if not addressed promptly.
Remediation
Immediate Action: Since a specific patch is currently unknown, administrators should restrict public access to the affected application and disable the vulnerable rooms.php functionality if not required.
Proactive Monitoring: Monitor server access logs for suspicious SQL syntax patterns, such as UNION SELECT statements or unexpected characters in URL parameters.
Compensating Controls: Implement a Web Application Firewall (WAF) with strict SQL injection filtering rules to inspect and block malicious incoming requests targeting the application.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This SQL injection vulnerability represents a critical risk to the integrity of the application database. Organizations using version 1.0 of this software must prioritize the implementation of WAF protections immediately and monitor vendor channels for the release of an official security patch.