Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php.
AnalysisAI
SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.
Technical ContextAI
The vulnerability exists in a PHP-based resort management application, specifically within the room management administrative interface. SQL Injection (CWE-89) occurs when user-supplied input is directly concatenated into SQL queries without proper parameterization or prepared statements. The affected endpoint /orms/admin/rooms/manage_room.php fails to sanitize or parameterize database queries, allowing an attacker with administrative credentials to craft malicious SQL fragments. This is a classic input validation failure in PHP applications that do not use prepared statements or ORM frameworks with automatic parameter binding.
RemediationAI
Implement parameterized queries or prepared statements with bound parameters for all database operations in the manage_room.php file and throughout the application. If upgrading is possible, apply any security patches released by Sourcecodester; however, no specific patched version is currently confirmed available. As an interim control, restrict administrative access through network-level controls such as VPN, IP whitelisting, or firewall rules to limit who can access the /orms/admin/ path. Input validation and output encoding of all user-supplied data should be applied as defense-in-depth measures. References for technical guidance are available at the ENISA EUVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-36941) and the vulnerability report (https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-resort-management-system/SQL-5.md).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21979
GHSA-rvx7-v6v9-w87p