CVE-2026-14763

code-projects · Hotel and Tourism Reservation

A SQL injection vulnerability exists in the Hotel and Tourism Reservation system, allowing unauthenticated remote attackers to manipulate the database via the 'tour' parameter in tour_reserves.php.

Executive summary

An unauthenticated SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0 poses a significant risk of unauthorized database access and data manipulation.

Vulnerability

This is a SQL injection (CWE-89) vulnerability located in the /admin/tour_reserves.php file. The flaw allows unauthenticated remote attackers to inject malicious SQL commands via the 'tour' parameter, bypassing existing security controls.

Business impact

Successful exploitation of this vulnerability can lead to unauthorized access to the backend database, potentially resulting in the compromise of sensitive reservation records and personal user information. Given the CVSS score of 7.3, this flaw represents a high-severity risk to business operations, specifically regarding data confidentiality and integrity. The ability for unauthenticated actors to interact directly with the database could also lead to significant reputational damage and regulatory non-compliance.

Remediation

Immediate Action: As no official patch is currently available, restrict network access to the /admin/ directory and implement strict input validation on the 'tour' parameter to neutralize the SQL injection vector.

Proactive Monitoring: Monitor web server logs for anomalous HTTP requests targeting the tour_reserves.php file, specifically looking for SQL syntax patterns or unexpected character sequences in the 'tour' parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection payloads before they reach the application layer.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Due to the high severity of this SQL injection vulnerability and the confirmed availability of public exploit code, organizations using the affected version of the Hotel and Tourism Reservation software must act immediately. Prioritize implementing the suggested compensating controls and strictly limit access to administrative interfaces until a formal vendor patch is released.