CVE-2026-14755: Remote SQL Injection in code-projects Hotel and Tourism Reservation
A critical remote unauthenticated SQL injection vulnerability (CVE-2026-14755) in code-projects Hotel and Tourism Reservation version 1.0, specifically within the '/admin/reservations.php' file's 'delete' argument, allows attackers to manipulate backend database queries, leading to data exposure and manipulation with a publicly disclosed exploit.
A high-severity remote SQL injection vulnerability, identified as CVE-2026-14755, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation application. This flaw resides in the /admin/reservations.php file, within the Reservations Management Page component. Attackers can remotely exploit this by manipulating the delete argument in HTTP requests, leading to arbitrary SQL query execution on the backend database. This vulnerability allows for unauthorized access to, modification of, or deletion of sensitive reservation data. The exploit details have been publicly disclosed, increasing the risk of widespread exploitation. Organizations using this specific version of the software are urged to take immediate action to mitigate the risk of data compromise, service disruption, and potential full system compromise.
Attack Chain
- An unauthenticated attacker identifies an exposed instance of code-projects Hotel and Tourism Reservation 1.0.
- The attacker crafts a malicious HTTP GET request targeting the
/admin/reservations.phpendpoint. - The request includes a specifically crafted
deleteargument containing SQL injection payloads (e.g.,delete=' UNION SELECT ... --'). - The vulnerable application processes this
deleteargument without proper input sanitization, leading to the attacker's SQL payload being appended to and executed by the backend database query. - The application's response reveals information about the database structure or sensitive data extracted via the SQL injection.
- The attacker leverages the successful injection to exfiltrate confidential customer and reservation data, manipulate existing records, or potentially gain further access to the underlying system depending on database privileges.
Impact
Successful exploitation of CVE-2026-14755 can lead to severe consequences for organizations utilizing the vulnerable software. Attackers can gain full control over the application's database, allowing them to exfiltrate sensitive customer information (names, contact details, payment information if stored), manipulate or delete reservation records, and potentially disrupt business operations. Given the public disclosure of the exploit, any internet-facing instance of Hotel and Tourism Reservation 1.0 is at high risk. This can result in significant financial losses, reputational damage, regulatory fines, and loss of customer trust.
Recommendation
- Immediately patch or upgrade code-projects Hotel and Tourism Reservation to a version that addresses CVE-2026-14755, if available. If no patch exists, remove the application from production until a secure version is released.
- Deploy the provided Sigma rule to detect attempts to exploit CVE-2026-14755 via the
/admin/reservations.phpendpoint in your web server logs. - Implement a Web Application Firewall (WAF) to inspect and block malicious HTTP requests, specifically those targeting
/admin/reservations.phpwith SQL injection payloads in thedeleteparameter. - Review web server access logs for anomalous requests to the
/admin/reservations.phppath, especially those containing common SQL injection keywords or unusual characters in query parameters.
Detection coverage 1
Detects CVE-2026-14755 Exploitation — SQLi in Hotel and Tourism Reservation
highDetects exploitation attempts for CVE-2026-14755, an SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0, by monitoring web server logs for malicious queries to '/admin/reservations.php' with SQLi patterns in the 'delete' argument.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
1
url_path
| Type | Value |
|---|---|
| url | https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_event.php-SQLi.md |
| url_path | /admin/reservations.php |