Description
A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

The exploit targets the /admin/roomdelete.php script, where manipulating the ID argument results in SQL injection. The vulnerability allows an attacker to inject arbitrary SQL code remotely using a crafted HTTP request. This can lead to unauthorized reading, modification, or deletion of room records, and potentially other data within the system’s database. The related weakness is identified as CWE‑74 (SQL Injection) and CWE‑89 (Improper Neutralization of Special Elements used in an SQL Command).

Affected Systems

The affected product is the Hotel Management System developed by tushar-2223. No specific release identifiers are provided because the project uses a rolling release model without versioned releases at the time of the advisory. As such, any current deployment of the system that has not applied a future fix remains vulnerable.

Risk and Exploitability

The assessed CVSS score is 6.9, indicating a moderate to high risk profile. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. The underlying attack vector is inferred to be remote, via HTTP(s) requests to the vulnerable endpoint, and an exploit is already publicly available, implying a non‑negligible likelihood that attackers could leverage this weakness in the wild.

Generated by OpenCVE AI on April 13, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Hotel Management System released by tushar-2223.
  • Restrict access to /admin/roomdelete.php so that only authenticated administrators can reach it.
  • Modify the code to use parameterized SQL queries instead of directly inserting the ID value into the query.
  • Deploy a web application firewall rule to block suspicious ID parameters that contain SQL meta characters.
  • Monitor database logs for unusual query patterns that may indicate an ongoing attempt to exploit SQL injection.

Generated by OpenCVE AI on April 13, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Tushar-2223
Tushar-2223 hotel-management-system
Vendors & Products Tushar-2223
Tushar-2223 hotel-management-system

Mon, 13 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title tushar-2223 Hotel Management System roomdelete.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tushar-2223 Hotel-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T19:12:29.105Z

Reserved: 2026-04-12T07:51:36.606Z

Link: CVE-2026-6142

cve-icon Vulnrichment

Updated: 2026-04-13T19:12:25.706Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T01:16:36.100

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:45Z

Weaknesses