CVE-2026-14764
Code-Projects · Hotel and Tourism Reservation
A SQL injection vulnerability in the add_event.php file of Code-Projects Hotel and Tourism Reservation 1.0 allows for remote, unauthenticated database manipulation.
Executive summary
An unauthenticated SQL injection vulnerability within Code-Projects Hotel and Tourism Reservation 1.0 creates a critical risk of unauthorized database access and system compromise.
Vulnerability
This vulnerability is a SQL injection (CWE-89) flaw located in the add_event.php file. An unauthenticated attacker can supply malicious input to the application, which is then processed by the database without proper sanitization or parameterization.
Business impact
Exploiting this vulnerability grants an attacker the ability to interact with the back-end database, potentially leading to the theft of sensitive reservation data or unauthorized administrative changes. The CVSS score of 7.3 reflects a high level of risk, as successful exploitation could lead to a complete compromise of the application's data integrity.
Remediation
Immediate Action: Monitor the vendor's website at code-projects.org for security updates and apply them to version 1.0 immediately upon release.
Proactive Monitoring: Monitor server logs for suspicious HTTP requests and database error logs that may indicate failed or successful injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) to sanitize inputs and block malicious payloads specifically targeting the add_event.php endpoint.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the ease with which SQL injection vulnerabilities can be exploited, it is vital to treat this issue with high urgency. Organizations should ensure that the affected application is protected by a WAF and that all available patches are applied to remediate the underlying code vulnerability.