Skip to content
Threat Feed
high advisory

CVE-2026-14754: SQL Injection in code-projects Hotel and Tourism Reservation

A critical SQL injection vulnerability (CVE-2026-14754) in code-projects Hotel and Tourism Reservation 1.0's `/admin/add_room.php` file allows a remote, unauthenticated attacker to manipulate arguments such as `delete_image`, `edit`, `description`, `number`, `price`, `rooms`, or `type` to execute arbitrary SQL commands, leading to sensitive data exposure and potential database compromise.

CVE-2026-14754 details a high-severity SQL injection vulnerability affecting code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in an unspecified function within the /admin/add_room.php file, allows remote, unauthenticated attackers to inject malicious SQL queries by manipulating specific arguments like delete_image, edit, description, number, price, rooms, or type. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the immediate risk to organizations using the affected software. Given its remote exploitability and the availability of public exploits, this vulnerability poses a significant threat to the confidentiality and integrity of data stored within the application's database. Defenders should prioritize patching or implementing strong input validation to prevent exploitation.

Attack Chain

  1. Initial Access: An unauthenticated attacker sends an HTTP POST or GET request to the /admin/add_room.php endpoint of the vulnerable Hotel and Tourism Reservation 1.0 web application.
  2. Parameter Manipulation: The attacker crafts the request to include malicious SQL syntax within one of the vulnerable arguments (e.g., delete_image, edit, description, number, price, rooms, or type).
  3. SQL Injection: The web application processes the request, and due to insufficient input sanitization, the embedded malicious SQL payload is passed directly to the backend database for execution.
  4. Database Interaction: The database server executes the attacker-controlled SQL query, which can be designed to retrieve, modify, or delete sensitive information.
  5. Information Disclosure: The results of the malicious SQL query, such as sensitive user credentials, payment information, or other confidential data, are returned within the HTTP response to the attacker.
  6. Data Exfiltration: The attacker extracts the disclosed sensitive data, compromising the confidentiality of the application's database content.
  7. Impact: The successful SQL injection allows unauthorized access to the application's database, leading to potential data theft, manipulation, or denial of service, depending on the attacker's objectives and database privileges.

Impact

Successful exploitation of CVE-2026-14754 directly compromises the confidentiality and integrity of the data stored within the application's database. Attackers can exfiltrate sensitive customer and reservation data, modify booking details, or potentially manipulate administrator credentials for further access. While a specific number of victims is not available, any organization utilizing code-projects Hotel and Tourism Reservation 1.0 is at risk, particularly those with internet-facing deployments. The remote nature of the attack means that compromise can occur without physical access or prior authentication, making the impact widespread for affected instances.

Recommendation

  • Patch: Immediately apply any available patches or updates for code-projects Hotel and Tourism Reservation 1.0 as they become available to address CVE-2026-14754.
  • Implement Input Validation: Deploy the Sigma rule CVE-2026-14754: Detect SQL Injection Attempts in Hotel Reservation System to your web application firewall (WAF) or SIEM to detect and potentially block requests containing SQL injection payloads targeting /admin/add_room.php.
  • Monitor Web Server Logs: Ensure comprehensive logging is enabled for your web server (e.g., IIS, Apache, Nginx) to capture detailed HTTP request information, including full URI-stem and query parameters, which are crucial for activating the detection rule above.
  • Review Database Privileges: Restrict the privileges of the database user account used by the web application to the absolute minimum necessary to function, thereby limiting the potential damage from a successful SQL injection.

Detection coverage 1

CVE-2026-14754: Detect SQL Injection Attempts in Hotel Reservation System

high

Detects CVE-2026-14754 exploitation — SQL injection attempts targeting code-projects Hotel and Tourism Reservation 1.0 by manipulating arguments in /admin/add_room.php.

sigma tactics: impact, initial_access techniques: T1190, T1587 sources: webserver

Detection queries are available on the platform. Get full rules →