Description
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php.
Published: 2026-04-13
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection could allow unauthorized data access or modification
Action: Patch or Mitigate
AI Analysis

Impact

The vulnerability resides in the sourcecodester Online Resort Management System, specifically the view_room.php endpoint. It allows an attacker to inject arbitrary SQL statements into the query used to fetch room data. If exploited, the attacker could read sensitive data, modify or delete records, or potentially gain higher level access depending on database privileges. The weakness aligns with injection flaws as indicated by CWE-89.

Affected Systems

Affected users are those running Sourcecodester Online Resort Management System version 1.0. No other product or vendor versions are listed as impacted. The application provides administrative room viewing functionality that is not protected against injection.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity overall, suggesting that the exploit may be limited by required authentication or other constraints not described. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog, implying low current exploitation likelihood. The attack vector appears to be application-level input handling on the specified endpoint; it is inferred that malicious input submitted to the view_room.php script would be used directly in a database query.

Generated by OpenCVE AI on April 13, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch or upgrade to a version of Sourcecodester Online Resort Management System that addresses the SQL injection issue if one is available.
  • If no patch exists, modify the application to use prepared statements or stored procedures for database access in view_room.php.
  • Consider restricting database user privileges to read-only for the application to limit damage.
  • Implement input validation and sanitization for all user-supplied data in the affected endpoint.

Generated by OpenCVE AI on April 13, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in Sourcecodester Online Resort Management System

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Resort Management System
Vendors & Products Sourcecodester
Sourcecodester online Resort Management System

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php.
References

Subscriptions

Sourcecodester Online Resort Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T20:20:39.059Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36938

cve-icon Vulnrichment

Updated: 2026-04-13T20:20:29.831Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T16:16:30.033

Modified: 2026-06-17T10:41:23.907

Link: CVE-2026-36938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:39Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')