CVE-2026-14756: SQL Injection in code-projects Hotel and Tourism Reservation
A remote SQL injection vulnerability (CVE-2026-14756) exists in code-projects Hotel and Tourism Reservation version 1.0, allowing unauthenticated attackers to exploit improper input sanitization in the `delete_image` parameter of `/admin/add_tour.php` to bypass authentication, extract sensitive data, or manipulate database records, with a public exploit available.
A critical SQL injection vulnerability, identified as CVE-2026-14756, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation web application. This flaw resides within the Tour Management Page component, specifically affecting the /admin/add_tour.php file. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to manipulate the delete_image argument with malicious SQL queries. This remote vulnerability enables unauthenticated attackers to bypass security measures, gain unauthorized access to the database, extract sensitive information, or corrupt data. The exploit details for this vulnerability have been publicly disclosed, increasing the urgency for immediate remediation due to the heightened risk of exploitation in the wild. Defenders must prioritize patching and implementing robust detection mechanisms.
Attack Chain
- Attacker identifies an exposed instance of code-projects Hotel and Tourism Reservation version 1.0.
- Attacker crafts a specially designed HTTP POST request targeting the
/admin/add_tour.phpendpoint. - The crafted request includes an SQL injection payload embedded within the
delete_imageparameter. - The vulnerable application processes this request without properly sanitizing the
delete_imageinput, directly incorporating the malicious payload into a backend SQL query. - The database executes the attacker's injected SQL query, allowing for unauthorized data access, modification, or deletion.
- Attacker leverages the successful SQL injection to bypass authentication, exfiltrate sensitive data (e.g., user credentials, booking details), or manipulate existing database records.
Impact
Successful exploitation of CVE-2026-14756 can lead to severe consequences for organizations utilizing the vulnerable application. Attackers can gain full control over the application's database, leading to the compromise of customer personal identifiable information (PII), payment data, and sensitive business operational details. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption due to data manipulation or deletion. With the exploit publicly available, organizations face an immediate and high risk of data breaches and system integrity compromise if the vulnerability remains unpatched.
Recommendation
- Immediately patch or apply available updates for
code-projects Hotel and Tourism Reservation 1.0to addressCVE-2026-14756. - Deploy the Sigma rule provided in this brief to your SIEM for detection of
CVE-2026-14756exploitation attempts. - Ensure Web Application Firewall (WAF) rules are configured to detect and block common SQL injection patterns, specifically targeting requests to
/admin/add_tour.phpwith suspiciousdelete_imageparameter values. - Monitor web server access logs for
/admin/add_tour.phpfor requests containing known SQL injection syntax or unusual characters.
Detection coverage 1
Detects CVE-2026-14756 Exploitation — SQL Injection in Hotel Reservation
highDetects CVE-2026-14756 exploitation — crafted HTTP POST requests to `/admin/add_tour.php` with SQL injection payloads in the `delete_image` parameter.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
6
url
| Type | Value |
|---|---|
| url | https://code-projects.org/ |
| url | https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_tour.php-SQLi.md |
| url | https://vuldb.com/cve/CVE-2026-14756 |
| url | https://vuldb.com/submit/850366 |
| url | https://vuldb.com/vuln/376345 |
| url | https://vuldb.com/vuln/376345/cti |