CVE-2026-14754
HighCVSS 7.3Summary
A SQL injection vulnerability has been found in Hotel and Tourism Reservation 1.0 in the file /admin/add_room.php. Manipulating the arguments delete_image, edit, description, number, price, rooms, or type can lead to SQL injection. The attack can be launched remotely, and the exploit has been published.
Risk Assessment
The organization is at risk of unauthorized database access, potentially leading to data leakage, modification, or deletion of hotel reservation information.
Recommendation
Immediately apply a patch or update provided by the vendor. Until then, disable or secure the /admin/add_room.php file and validate all input data.
Original NVD description (English source)
A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. Affected is an unknown function of the file /admin/add_room.php. Executing a manipulation of the argument delete_image/edit/description/number/price/rooms/type can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

