CVE-2026-14763: SQL Injection in code-projects Hotel and Tourism Reservation
A SQL injection vulnerability, tracked as CVE-2026-14763, has been discovered in code-projects Hotel and Tourism Reservation version 1.0. The flaw affects an unknown function within the '/admin/tour_reserves.php' file, specifically in the 'Tour Reservations Page' component, due to improper handling of the 'tour' argument, allowing for remote SQL injection attacks, and a public exploit is available, increasing the risk of compromise.
A critical SQL injection vulnerability, identified as CVE-2026-14763, exists in version 1.0 of the code-projects Hotel and Tourism Reservation software. This flaw specifically impacts the "Tour Reservations Page" component, residing within the /admin/tour_reserves.php file. Attackers can remotely exploit this vulnerability by manipulating the tour argument in HTTP GET requests, which is then improperly handled, leading to the execution of arbitrary SQL commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High). A public exploit has been published and may be used, indicating a heightened risk of active exploitation against unpatched systems. Organizations utilizing this reservation system are strongly advised to take immediate action to mitigate the risk of data compromise and unauthorized access.
Attack Chain
- An attacker identifies a publicly accessible instance of
code-projects Hotel and Tourism Reservation 1.0. - The attacker crafts a malicious HTTP GET request targeting the vulnerable endpoint
/admin/tour_reserves.php. - This request includes specially crafted SQL injection payloads embedded within the
tourargument (e.g.,' OR 1=1--,UNION SELECT). - The
Hotel and Tourism Reservationweb application receives the request and processes thetourargument without adequate input sanitization. - The malicious input is directly concatenated into a backend SQL query, causing the database to execute the attacker's arbitrary SQL commands.
- Successful SQL injection allows the attacker to retrieve sensitive information (e.g., user credentials, booking details) from the database, modify existing data, or potentially gain further access to the underlying server depending on database privileges.
- The attacker exfiltrates the compromised data or leverages the access for further malicious activities, such as website defacement or pivot to other systems.
Impact
Successful exploitation of CVE-2026-14763 can lead to severe consequences for organizations using the code-projects Hotel and Tourism Reservation 1.0 software. Attackers can gain unauthorized access to the application's backend database, potentially leading to the exfiltration of sensitive customer data (e.g., personal information, contact details, booking histories), administrative credentials, and other proprietary business information. This data compromise can result in significant financial losses, reputational damage, regulatory penalties, and a loss of customer trust. Given the "public exploit available" status, organizations running affected versions face an imminent threat of being targeted and breached if not promptly patched.
Recommendation
- Immediately patch or update
code-projects Hotel and Tourism Reservation 1.0to a non-vulnerable version if available. Monitor thehttps://code-projects.org/website for official patches. - Deploy the Sigma rule
Detect CVE-2026-14763 Exploitation - SQL Injection in Tour Reservations Pageprovided in this brief to your SIEM for early detection of exploitation attempts. - Monitor web server logs for HTTP requests targeting
/admin/tour_reserves.phpwith unusual or suspicious characters in thetourquery parameter, as indicated in the Sigma rule. - Implement a Web Application Firewall (WAF) in front of the
Hotel and Tourism Reservationapplication to filter and block malicious SQL injection payloads targeting CVE-2026-14763. - Regularly review and sanitize user input across all web applications to prevent similar SQL injection vulnerabilities.
Detection coverage 1
Detect CVE-2026-14763 Exploitation - SQL Injection in Tour Reservations Page
highDetects CVE-2026-14763 exploitation — HTTP GET requests to '/admin/tour_reserves.php' with SQL injection payloads in the 'tour' query parameter.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
6
url
| Type | Value |
|---|---|
| url | https://code-projects.org/ |
| url | https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md |
| url | https://vuldb.com/cve/CVE-2026-14763 |
| url | https://vuldb.com/submit/850581 |
| url | https://vuldb.com/vuln/376352 |
| url | https://vuldb.com/vuln/376352/cti |