Description
alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Code Injection via XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the room_id GET parameter used by the /public/admin/edit_room.php page of Hotel‑Management‑PHP. An attacker can insert malicious JavaScript, which is executed in the victim’s browser when the URL is accessed. This can lead to session hijacking, credential theft, or defacement of the administrative interface. The flaw is an instance of improper input sanitization (CWE‑79).

Affected Systems

Hotel‑Management‑PHP version 1.0, developed by alandsilva26, is affected. No other versions or vendors are listed.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. While the EPSS score is not available, the lack of an authentication requirement (the vulnerability is triggered by the room_id parameter in a public URL) suggests that any user who visits the crafted URL may trigger the flaw. The vulnerability is not included in the CISA KEV catalog, so no confirmed exploitation campaigns are documented yet. Nonetheless, the ability to run arbitrary client‑side code poses a significant risk to affected administrators.

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Hotel‑Management‑PHP if one is released.
  • If an upgrade is not available, sanitize all incoming GET parameters and implement proper output encoding for any data rendered in HTML.
  • Avoid embedding unsanitized user input directly in URLs or JavaScript contexts.

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Alandsilva26
Alandsilva26 hotel-management-php
Vendors & Products Alandsilva26
Alandsilva26 hotel-management-php

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via room_id Parameter in Hotel‑Management‑PHP 1.0

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via room_id Parameter in Hotel‑Management‑PHP 1.0
Weaknesses CWE-79

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.
References

Subscriptions

Alandsilva26 Hotel-management-php
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T18:02:48.116Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65132

cve-icon Vulnrichment

Updated: 2026-04-14T18:02:43.729Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T16:16:33.837

Modified: 2026-06-17T09:55:29.817

Link: CVE-2025-65132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')