Skip to content
Threat Feed
high threat exploited

CVE-2026-14763: SQL Injection in code-projects Hotel and Tourism Reservation

A SQL injection vulnerability, tracked as CVE-2026-14763, has been discovered in code-projects Hotel and Tourism Reservation version 1.0. The flaw affects an unknown function within the '/admin/tour_reserves.php' file, specifically in the 'Tour Reservations Page' component, due to improper handling of the 'tour' argument, allowing for remote SQL injection attacks, and a public exploit is available, increasing the risk of compromise.

A critical SQL injection vulnerability, identified as CVE-2026-14763, exists in version 1.0 of the code-projects Hotel and Tourism Reservation software. This flaw specifically impacts the "Tour Reservations Page" component, residing within the /admin/tour_reserves.php file. Attackers can remotely exploit this vulnerability by manipulating the tour argument in HTTP GET requests, which is then improperly handled, leading to the execution of arbitrary SQL commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High). A public exploit has been published and may be used, indicating a heightened risk of active exploitation against unpatched systems. Organizations utilizing this reservation system are strongly advised to take immediate action to mitigate the risk of data compromise and unauthorized access.

Attack Chain

  1. An attacker identifies a publicly accessible instance of code-projects Hotel and Tourism Reservation 1.0.
  2. The attacker crafts a malicious HTTP GET request targeting the vulnerable endpoint /admin/tour_reserves.php.
  3. This request includes specially crafted SQL injection payloads embedded within the tour argument (e.g., ' OR 1=1--, UNION SELECT).
  4. The Hotel and Tourism Reservation web application receives the request and processes the tour argument without adequate input sanitization.
  5. The malicious input is directly concatenated into a backend SQL query, causing the database to execute the attacker's arbitrary SQL commands.
  6. Successful SQL injection allows the attacker to retrieve sensitive information (e.g., user credentials, booking details) from the database, modify existing data, or potentially gain further access to the underlying server depending on database privileges.
  7. The attacker exfiltrates the compromised data or leverages the access for further malicious activities, such as website defacement or pivot to other systems.

Impact

Successful exploitation of CVE-2026-14763 can lead to severe consequences for organizations using the code-projects Hotel and Tourism Reservation 1.0 software. Attackers can gain unauthorized access to the application's backend database, potentially leading to the exfiltration of sensitive customer data (e.g., personal information, contact details, booking histories), administrative credentials, and other proprietary business information. This data compromise can result in significant financial losses, reputational damage, regulatory penalties, and a loss of customer trust. Given the "public exploit available" status, organizations running affected versions face an imminent threat of being targeted and breached if not promptly patched.

Recommendation

  • Immediately patch or update code-projects Hotel and Tourism Reservation 1.0 to a non-vulnerable version if available. Monitor the https://code-projects.org/ website for official patches.
  • Deploy the Sigma rule Detect CVE-2026-14763 Exploitation - SQL Injection in Tour Reservations Page provided in this brief to your SIEM for early detection of exploitation attempts.
  • Monitor web server logs for HTTP requests targeting /admin/tour_reserves.php with unusual or suspicious characters in the tour query parameter, as indicated in the Sigma rule.
  • Implement a Web Application Firewall (WAF) in front of the Hotel and Tourism Reservation application to filter and block malicious SQL injection payloads targeting CVE-2026-14763.
  • Regularly review and sanitize user input across all web applications to prevent similar SQL injection vulnerabilities.

Detection coverage 1

Detect CVE-2026-14763 Exploitation - SQL Injection in Tour Reservations Page

high

Detects CVE-2026-14763 exploitation — HTTP GET requests to '/admin/tour_reserves.php' with SQL injection payloads in the 'tour' query parameter.

sigma tactics: defense_evasion, initial_access techniques: T1190, T1561.002 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

6

url

TypeValue
urlhttps://code-projects.org/
urlhttps://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md
urlhttps://vuldb.com/cve/CVE-2026-14763
urlhttps://vuldb.com/submit/850581
urlhttps://vuldb.com/vuln/376352
urlhttps://vuldb.com/vuln/376352/cti