Description
A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the reservation check endpoint, where the room_type parameter can be crafted to inject arbitrary SQL statements. This permits attackers to read, alter, or delete data stored in the underlying database, potentially exposing sensitive guest information or compromising booking logic. The vulnerability is triggered by user input, so it can be exercised without any special privileges.

Affected Systems

The issue affects SourceCodester Hotel Management System version 1.0. No other affected versions are documented in the available data.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as medium severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog, but the remote nature of the attack vector increases its practicality. An attacker can leverage the exposed input to execute SQL commands, making diligent remediation a priority.

Generated by OpenCVE AI on May 1, 2026 at 04:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SourceCodester Hotel Management System to the latest available version that contains a fix for the SQL injection flaw.
  • If a patch is unavailable, modify the input handling for room_type to enforce strict validation and use parameterized queries or prepared statements to eliminate injection opportunities.
  • Deploy a web application firewall configured to detect and block malicious SQL payloads targeting the reservation endpoint.
  • Revoke unnecessary database privileges from the web application account, limiting it to only the permissions required for normal operation.

Generated by OpenCVE AI on May 1, 2026 at 04:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester hotel Management System
Vendors & Products Sourcecodester
Sourcecodester hotel Management System

Thu, 30 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Hotel Management System check sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Hotel Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T14:21:30.732Z

Reserved: 2026-04-30T14:52:45.598Z

Link: CVE-2026-7506

cve-icon Vulnrichment

Updated: 2026-05-01T14:21:03.170Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T23:16:20.917

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:00Z

Weaknesses