Description
uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. Attackers can send crafted requests to index.php with malicious system_page values using time-based blind SQL injection techniques to extract sensitive database information.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic time‑based blind SQL injection in the system_page GET parameter of uHotelBooking System's index.php. It allows an unauthenticated attacker to execute arbitrary SQL code, enabling extraction of sensitive database contents. The weakness is identified as CWE‑89 and could compromise the confidentiality of customer data.

Affected Systems

This flaw exists in the Hotel‑Booking‑Script uHotelBooking System product. No specific version numbers are listed in the CVE data, so all installed instances of the product are potentially affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the field, though the lack of a KEV listing indicates no known active exploitation. Attackers could exploit the vulnerability by sending crafted GET requests to index.php with malicious system_page values over the network, as the vulnerability is unauthenticated and remote.

Generated by OpenCVE AI on March 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or update to a version that removes the SQL injection vulnerability.
  • If a patch is not available, restrict access to the system_page parameter or implement strict input validation to prevent injection.
  • Ensure the application uses parameterized queries or an ORM that properly escapes user input.
  • Monitor incoming traffic for suspicious requests targeting index.php with manipulated system_page parameters.

Generated by OpenCVE AI on March 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hotel-booking-script
Hotel-booking-script uhotelbooking System
Vendors & Products Hotel-booking-script
Hotel-booking-script uhotelbooking System

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. Attackers can send crafted requests to index.php with malicious system_page values using time-based blind SQL injection techniques to extract sensitive database information.
Title uHotelBooking System Lastest SQL Injection via system_page Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hotel-booking-script Uhotelbooking System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:46:51.570Z

Reserved: 2026-03-12T14:23:23.600Z

Link: CVE-2019-25530

cve-icon Vulnrichment

Updated: 2026-03-12T16:46:45.435Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T16:16:06.827

Modified: 2026-04-15T14:56:45.970

Link: CVE-2019-25530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:14Z

Weaknesses