CVE-2026-14762: Remote SQL Injection in code-projects Hotel and Tourism Reservation
A critical SQL injection vulnerability (CVE-2026-14762) exists in code-projects Hotel and Tourism Reservation version 1.0, located in the `/admin/rooms.php` file's Room Management Page, allowing remote attackers to manipulate the `delete` argument for data compromise, with a public exploit now available.
A significant vulnerability, identified as CVE-2026-14762, has been discovered in code-projects Hotel and Tourism Reservation version 1.0. This flaw specifically impacts an unspecified function within the /admin/rooms.php file, part of the application's Room Management Page. Attackers can exploit this vulnerability by manipulating the delete argument with SQL injection payloads. This issue is remotely exploitable, meaning an attacker does not require local access to the affected system. The exploit code for CVE-2026-14762 is publicly available, increasing the urgency for immediate mitigation by organizations utilizing this software. Successful exploitation can lead to unauthorized access, modification, or deletion of database contents, potentially compromising sensitive customer or reservation data.
Attack Chain
- Attacker identifies a vulnerable instance of code-projects Hotel and Tourism Reservation 1.0 exposed to the internet.
- Attacker crafts a malicious HTTP GET request targeting the
/admin/rooms.phpendpoint. - The request includes a specially crafted SQL injection payload within the
deleteargument, bypassing input sanitization (e.g.,GET /admin/rooms.php?delete=' OR 1=1--). - The vulnerable PHP application processes the request and concatenates the malicious
deleteargument value directly into an SQL query. - The backend database executes the attacker-controlled SQL query, treating the payload as legitimate SQL code.
- Depending on the payload, the database may return sensitive information, allow data modification/deletion, or enable further database compromise.
- The application returns the result of the arbitrary SQL query to the attacker via the HTTP response.
- Attacker achieves unauthorized access to, or modification of, the application's underlying database, potentially leading to full data compromise.
Impact
Successful exploitation of CVE-2026-14762 grants attackers unauthorized access to the application's database. This can lead to the exfiltration of sensitive information, such as customer details, reservation data, or administrator credentials. Attackers could also modify or delete critical operational data, causing service disruption or data integrity issues. Given that the exploit is public, organizations using Hotel and Tourism Reservation 1.0 are at immediate and severe risk of data breaches and operational downtime. The CVSS v3.1 score of 7.3 (HIGH) reflects the potential for significant impact on confidentiality, integrity, and availability.
Recommendation
- Patch CVE-2026-14762 by updating code-projects Hotel and Tourism Reservation 1.0 to a secure version as soon as a fix is available from the vendor.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.
- Implement a Web Application Firewall (WAF) to inspect and block malicious HTTP requests containing SQL injection payloads targeting
/admin/rooms.php. - Regularly review web server access logs for suspicious requests to
/admin/rooms.phpthat include uncommon characters or SQL keywords in the query parameters.
Detection coverage 1
Detects CVE-2026-14762 Exploitation — Hotel and Tourism Reservation SQLi
highDetects exploitation attempts for CVE-2026-14762, an SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0, by identifying malicious patterns in the 'delete' argument of requests to '/admin/rooms.php'.
Detection queries are available on the platform. Get full rules →