Description
alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Client‑side Remote Code Execution via XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic Cross‑Site Scripting flaw located in the edit_room.php endpoint of the hotel‑management‑php application. The flaw is triggered when an attacker supplies a specially crafted value for the room_id GET parameter, resulting in arbitrary JavaScript code being injected and executed in the victim’s browser. This allows an attacker to perform session hijacking, steal credentials, deface the site, or carry out other malicious client‑side actions.

Affected Systems

The only affected product listed is hotel‑management‑php version 1.0. No vendor or product name is supplied by the CNA, so the scope is limited to installations of that exact version of the application.

Risk and Exploitability

Because the flaw is triggered by a URL parameter, an attacker can exploit it from any location with network access to the application. No CVSS or EPSS score is provided, and the vulnerability is not present in the CISA KEV list. Nonetheless, XSS represents a high risk to confidentiality and integrity of user data, and remediation is strongly advised.

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a later version of hotel‑management‑php that removes the vulnerability
  • If a patch is not available, implement input validation or output encoding for the room_id parameter to neutralize the injected script
  • Consider restricting access to the edit_room.php interface or requiring appropriate authentication and authorization before allowing data to be processed

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via room_id Parameter in Hotel‑Management‑PHP 1.0
Weaknesses CWE-79

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T18:02:48.116Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65132

cve-icon Vulnrichment

Updated: 2026-04-14T18:02:43.729Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:33.837

Modified: 2026-04-14T18:16:40.957

Link: CVE-2025-65132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:42Z

Weaknesses