Skip to main content

Hotel And Tourism Reservation

4 CVEs product

Monthly

CVE-2026-14764 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14763 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14756 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14755 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy