Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a PHP web application. The affected endpoint /index.php/reservation/check processes the room_type parameter without proper input sanitization or parameterized queries, allowing attackers to inject arbitrary SQL commands. CPE identifies the vulnerable product as SourceCodester Hotel Management System version 1.0. SQL injection remains a prevalent and dangerous vulnerability class because it grants direct database access, bypassing application-layer authorization. The CVSS vector AV:N/AC:L/PR:N indicates the vulnerability is remotely exploitable over the network with low complexity and no authentication required, making it accessible to unsophisticated attackers using the publicly available exploit code.
RemediationAI
No vendor-released patch identified at time of analysis. SourceCodester typically publishes code samples rather than maintaining production software with security updates. Primary mitigation: discontinue use of Hotel Management System 1.0 in production environments and replace with actively maintained hotel management software that receives security updates. If continued use is unavoidable, implement SPECIFIC compensating controls: (1) Apply strict input validation on room_type parameter using an allowlist of valid room type values (e.g., 'single', 'double', 'suite')-reject any input containing SQL metacharacters (quotes, semicolons, dashes, comment markers); trade-off is reduced functionality if dynamic room types are required. (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting /index.php/reservation/check, though determined attackers can evade signature-based detection. (3) Restrict application database account permissions to minimum required (SELECT/INSERT only on specific tables, no DROP/ALTER)-limits impact but does not prevent data exfiltration. (4) Deploy intrusion detection monitoring database queries for injection patterns. For developers: refactor code to use parameterized queries/prepared statements with bound parameters (mysqli_prepare or PDO in PHP). References: VulDB 360315 (https://vuldb.com/vuln/360315), exploit POC at https://github.com/wangzhongyang085/CVE/issues/2.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today