Description
A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-03-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

An SQL Injection vulnerability exists in the itsourcecode Free Hotel Reservation System 1.0 within the /hotel/admin/mod_reports/index.php file. By manipulating the 'Home' query parameter, an attacker can inject arbitrary SQL code. This flaw allows an attacker to read, modify, or delete sensitive data stored in the system’s database, thereby compromising confidentiality and integrity of reservation information. The weakness corresponds to CWE-74 (Improper Encoding or Escaping of Dynamic Context Content) and CWE-89 (SQL Injection).

Affected Systems

The affected product is the itsourcecode Free Hotel Reservation System, version 1.0 (and any unknown code in that release). Users running this version of the application should verify if the vulnerable file /hotel/admin/mod_reports/index.php is present, as it contains the exploitable code.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a medium severity risk. Its EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is remote, as indicated by the vendor description, and the exploit has been published, implying that attackers may already be using it in the field.

Generated by OpenCVE AI on March 17, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's website or community forum for any patch or updated version.
  • Apply the patch or upgrade to the latest version once available.

Generated by OpenCVE AI on March 17, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Title itsourcecode Free Hotel Reservation System index.php sql injection
First Time appeared Itsourcecode
Itsourcecode free Hotel Reservation System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:free_hotel_reservation_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode free Hotel Reservation System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Free Hotel Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T14:54:42.844Z

Reserved: 2026-03-15T20:33:19.873Z

Link: CVE-2026-4237

cve-icon Vulnrichment

Updated: 2026-03-16T14:54:39.220Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:18.220

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:30Z

Weaknesses