Description
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php.
Published: 2026-04-13
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the file /orms/admin/activities/manage_activity.php of the Sourcecodester Online Resort Management System. An attacker who can supply crafted input to this endpoint can influence the SQL queries sent to the database, potentially retrieving, modifying, or deleting data. The CVSS score of 2.7 indicates that the impact is limited but not negligible; it could expose sensitive information without elevating privileges or causing a denial of service.

Affected Systems

The affected product is Sourcecodester Online Resort Management System version 1.0. No other vendors or versions are listed, and no specific patch notes are provided.

Risk and Exploitability

The CVSS base score of 2.7 reflects a low severity issue, and the exploit probability score is not available. The vulnerability is not catalogued in the CISA KEV list. The likely attack vector is a remote web‑based request via the administrative interface, where unsanitized user input can be injected into SQL statements. An adversary exploiting this flaw would need access to the affected endpoint, but no special credentials are required beyond the normal operation of the application.

Generated by OpenCVE AI on April 13, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the source code around /orms/admin/activities/manage_activity.php and replace unsanitized user input with parameterized queries or prepared statements.
  • Sanitize and validate all input fields that interact with the database.
  • If possible, restrict write access to the manage_activity.php file and its directory to required service accounts only.
  • Monitor the application logs for suspicious database queries or error messages that may indicate injection attempts.
  • Apply any vendor‑supplied updates or patches as they become available, or otherwise customize the application to eliminate the injection point.

Generated by OpenCVE AI on April 13, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in Sourcecodester Online Resort Management System
Weaknesses CWE-89

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Resort Management System
Vendors & Products Sourcecodester
Sourcecodester online Resort Management System

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php.
References

Subscriptions

Sourcecodester Online Resort Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-10T13:20:03.543Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36942

cve-icon Vulnrichment

Updated: 2026-04-13T20:25:15.287Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T15:17:34.290

Modified: 2026-06-17T10:41:24.210

Link: CVE-2026-36942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:56Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')