Skip to content
Threat Feed
high threat exploited

CVE-2026-14764: SQL Injection in code-projects Hotel and Tourism Reservation

An unauthenticated attacker can remotely exploit CVE-2026-14764, an SQL injection vulnerability in code-projects Hotel and Tourism Reservation 1.0's `/admin/add_event.php` component via the `fdetails` argument, to manipulate database queries and compromise sensitive data, with public exploit disclosure increasing the risk of active exploitation.

A critical SQL injection vulnerability, tracked as CVE-2026-14764, has been identified in code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in the 'Event Management Page' component, specifically affects the /admin/add_event.php file where the fdetails argument is susceptible to improper neutralization of special elements. Attackers can remotely manipulate this argument to inject malicious SQL queries, leading to data compromise. The vulnerability has been publicly disclosed, with exploit details available, significantly increasing the likelihood of active exploitation against unpatched systems running this software. Organizations utilizing code-projects Hotel and Tourism Reservation 1.0 are strongly advised to implement mitigations immediately to prevent unauthorized access and data breaches.

Attack Chain

  1. An unauthenticated attacker identifies an internet-facing instance of code-projects Hotel and Tourism Reservation 1.0.
  2. The attacker crafts a malicious HTTP POST or GET request targeting the /admin/add_event.php endpoint.
  3. The attacker injects SQL payloads into the fdetails argument, which is processed by the vulnerable application.
  4. The application processes the request without properly sanitizing the input, leading to the execution of the attacker's SQL queries.
  5. The malicious SQL query allows the attacker to read, modify, or delete database content, potentially extracting sensitive information or altering application behavior.
  6. The attacker successfully compromises the underlying database, gaining unauthorized access to user credentials, booking details, or other critical data.

Impact

Successful exploitation of CVE-2026-14764 can lead to significant data compromise, including the exfiltration of sensitive customer information, booking data, and administrative credentials stored in the application's database. This can result in reputational damage, regulatory penalties, and further attacks against affected entities. Given that exploit details have been publicly disclosed, unpatched systems face an immediate and elevated risk of being targeted by malicious actors seeking to leverage this vulnerability for financial gain or disruptive purposes.

Recommendation

  • Prioritize patching or upgrading code-projects Hotel and Tourism Reservation to a version that addresses CVE-2026-14764, once available from the vendor.
  • Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of CVE-2026-14764 against your web servers.
  • Implement a Web Application Firewall (WAF) in front of the vulnerable application to detect and block malicious HTTP requests containing SQL injection payloads, specifically targeting cs-uri-stem: "/admin/add_event.php" and the fdetails parameter.
  • Enable detailed webserver access logging (e.g., Apache, Nginx, IIS) to capture cs-uri-stem, cs-uri-query, and HTTP method, essential for forensic analysis and detection.

Detection coverage 1

Detects CVE-2026-14764 Exploitation — SQL Injection in Hotel and Tourism Reservation

high

Detects CVE-2026-14764 exploitation — SQL injection attempts targeting the /admin/add_event.php endpoint's fdetails argument in code-projects Hotel and Tourism Reservation 1.0.

sigma tactics: execution, initial_access techniques: T1059.001, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →