CVE Catalog

CVE-2026-14762

HighCVSS 7.3
Published: Translated: NVD NIST

Summary

A SQL Injection vulnerability was found in Hotel and Tourism Reservation 1.0 in the /admin/rooms.php file. Manipulation of the delete argument in the room management function allows an attacker to inject malicious SQL code. The attack can be performed remotely and the exploit is publicly available.

Risk Assessment

An attacker can gain unauthorized access to the database, steal or modify sensitive reservation and user data, leading to a breach of confidentiality and integrity of the system.

Recommendation

Immediately implement SQL query parameterization or use prepared statements for the delete function in /admin/rooms.php. It is also recommended to update the system to the latest version once a patch is released.

Original NVD description (English source)

A vulnerability was detected in code-projects Hotel and Tourism Reservation 1.0. The impacted element is an unknown function of the file /admin/rooms.php of the component Room Management Page. The manipulation of the argument delete results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS