CVE-2026-14756
HighCVSS 7.3Summary
A SQL injection vulnerability was found in Hotel and Tourism Reservation 1.0 in the file /admin/add_tour.php. Manipulation of the delete_image argument allows SQL injection. The attack can be launched remotely and the exploit is publicly available.
Risk Assessment
An attacker can remotely steal, modify, or delete database data, compromising the confidentiality and integrity of hotel reservation data.
Recommendation
Immediately update the system to the latest version or apply a security patch. In the meantime, restrict access to /admin/add_tour.php and use parameterized queries.
Original NVD description (English source)
A vulnerability was found in code-projects Hotel and Tourism Reservation 1.0. Affected by this issue is some unknown functionality of the file /admin/add_tour.php of the component Tour Management Page. The manipulation of the argument delete_image results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

