How to fix EUVD-2025-18834?

Within 24 hours: Isolate affected systems or disable the reservation module if not critical; implement WAF rules to block malicious SQL patterns in the 'Start' parameter; enable enhanced logging on the /reservation/order.php endpoint. Within 7 days: Conduct forensic analysis for evidence of exploitation; notify legal/compliance teams; contact vendor for patch timeline; deploy network segmentation if not already in place. Within 30 days: Implement code review and remediation or upgrade to patched version upon availability; conduct security testing of all reservation functions; provide incident briefing to leadership.

Is PHP affected by EUVD-2025-18834?

A publicly disclosed SQL injection vulnerability exists in the Online Hotel Reservation System affecting the booking module, allowing remote attackers to potentially extract or manipulate sensitive guest and reservation data without authentication.

EUVD-2025-18834

| CVE-2025-6456 HIGH

2025-06-22 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18834

PoC Detected

Nov 13, 2025 - 15:22 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 04:15 nvd

HIGH 7.3

Description

A vulnerability, which was classified as critical, has been found in code-projects Online Hotel Reservation System 1.0. Affected by this issue is some unknown functionality of the file /reservation/order.php. The manipulation of the argument Start leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6456 is a critical SQL injection vulnerability in code-projects Online Hotel Reservation System 1.0, specifically in the /reservation/order.php file's 'Start' parameter. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available, and the vulnerability is actively exploitable.

Technical Context

This vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) affecting a PHP-based web application. The Online Hotel Reservation System accepts user input via the 'Start' parameter in /reservation/order.php without proper input validation or parameterized query usage. The web application likely concatenates user-supplied input directly into SQL queries, allowing attackers to break out of the intended query context and inject arbitrary SQL syntax. The vulnerability exists in the order processing workflow, which typically handles sensitive booking and customer data. No specific CPE string refinements beyond 'code-projects Online Hotel Reservation System 1.0' are available from the provided data, but the affected software likely runs on Apache/Nginx with PHP 5.4+ and MySQL/MariaDB backends.

Affected Products

code-projects Online Hotel Reservation System version 1.0 (primary affected version). The vulnerability is introduced in this specific release; versions prior to 1.0 and any patches released after initial discovery should be investigated. No vendor advisory links are provided in the source data. Organizations should immediately audit their deployment inventory for this product and version. If the vendor has ceased support or provided no patches, the system should be decommissioned or isolated from network access.

Remediation

Immediate actions: (1) If patch versions are available from the vendor, upgrade to the latest patched release immediately (vendor advisory/patch details not provided in available data—check code-projects' official repository or website); (2) If no patch exists and vendor support is unavailable, implement network segmentation to restrict access to /reservation/order.php to trusted IP ranges only; (3) Deploy a Web Application Firewall (WAF) with SQL injection detection rules to block malicious payloads targeting the 'Start' parameter; (4) If the system must remain operational, implement input validation: whitelist expected date formats for the 'Start' parameter and reject any input containing SQL metacharacters or unexpected patterns; (5) Use parameterized queries (prepared statements) in the /reservation/order.php code if patching is not immediately possible; (6) Enable SQL query logging and set up alerts for suspicious patterns; (7) Consider replacing this unsupported software with a maintained, well-audited reservation system.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

EUVD-2025-18834 vulnerability details – vuln.today

Back

EUVD-2025-18834

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18834

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code