{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code-projects/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14756"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hotel and Tourism Reservation 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","code-projects"],"_cs_type":"threat","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability, identified as CVE-2026-14756, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation web application. This flaw resides within the Tour Management Page component, specifically affecting the \u003ccode\u003e/admin/add_tour.php\u003c/code\u003e file. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to manipulate the \u003ccode\u003edelete_image\u003c/code\u003e argument with malicious SQL queries. This remote vulnerability enables unauthenticated attackers to bypass security measures, gain unauthorized access to the database, extract sensitive information, or corrupt data. The exploit details for this vulnerability have been publicly disclosed, increasing the urgency for immediate remediation due to the heightened risk of exploitation in the wild. Defenders must prioritize patching and implementing robust detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an exposed instance of code-projects Hotel and Tourism Reservation version 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially designed HTTP POST request targeting the \u003ccode\u003e/admin/add_tour.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an SQL injection payload embedded within the \u003ccode\u003edelete_image\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes this request without properly sanitizing the \u003ccode\u003edelete_image\u003c/code\u003e input, directly incorporating the malicious payload into a backend SQL query.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker's injected SQL query, allowing for unauthorized data access, modification, or deletion.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the successful SQL injection to bypass authentication, exfiltrate sensitive data (e.g., user credentials, booking details), or manipulate existing database records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14756 can lead to severe consequences for organizations utilizing the vulnerable application. Attackers can gain full control over the application's database, leading to the compromise of customer personal identifiable information (PII), payment data, and sensitive business operational details. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption due to data manipulation or deletion. With the exploit publicly available, organizations face an immediate and high risk of data breaches and system integrity compromise if the vulnerability remains unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch or apply available updates for \u003ccode\u003ecode-projects Hotel and Tourism Reservation 1.0\u003c/code\u003e to address \u003ccode\u003eCVE-2026-14756\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM for detection of \u003ccode\u003eCVE-2026-14756\u003c/code\u003e exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnsure Web Application Firewall (WAF) rules are configured to detect and block common SQL injection patterns, specifically targeting requests to \u003ccode\u003e/admin/add_tour.php\u003c/code\u003e with suspicious \u003ccode\u003edelete_image\u003c/code\u003e parameter values.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for \u003ccode\u003e/admin/add_tour.php\u003c/code\u003e for requests containing known SQL injection syntax or unusual characters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T15:20:14Z","date_published":"2026-07-05T15:20:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14756-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-14756) exists in code-projects Hotel and Tourism Reservation version 1.0, allowing unauthenticated attackers to exploit improper input sanitization in the `delete_image` parameter of `/admin/add_tour.php` to bypass authentication, extract sensitive data, or manipulate database records, with a public exploit available.","title":"CVE-2026-14756: SQL Injection in code-projects Hotel and Tourism Reservation","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14756-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14754"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hotel and Tourism Reservation 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","code-projects","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eCVE-2026-14754 details a high-severity SQL injection vulnerability affecting code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in an unspecified function within the \u003ccode\u003e/admin/add_room.php\u003c/code\u003e file, allows remote, unauthenticated attackers to inject malicious SQL queries by manipulating specific arguments like \u003ccode\u003edelete_image\u003c/code\u003e, \u003ccode\u003eedit\u003c/code\u003e, \u003ccode\u003edescription\u003c/code\u003e, \u003ccode\u003enumber\u003c/code\u003e, \u003ccode\u003eprice\u003c/code\u003e, \u003ccode\u003erooms\u003c/code\u003e, or \u003ccode\u003etype\u003c/code\u003e. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the immediate risk to organizations using the affected software. Given its remote exploitability and the availability of public exploits, this vulnerability poses a significant threat to the confidentiality and integrity of data stored within the application's database. Defenders should prioritize patching or implementing strong input validation to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An unauthenticated attacker sends an HTTP POST or GET request to the \u003ccode\u003e/admin/add_room.php\u003c/code\u003e endpoint of the vulnerable Hotel and Tourism Reservation 1.0 web application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eParameter Manipulation\u003c/strong\u003e: The attacker crafts the request to include malicious SQL syntax within one of the vulnerable arguments (e.g., \u003ccode\u003edelete_image\u003c/code\u003e, \u003ccode\u003eedit\u003c/code\u003e, \u003ccode\u003edescription\u003c/code\u003e, \u003ccode\u003enumber\u003c/code\u003e, \u003ccode\u003eprice\u003c/code\u003e, \u003ccode\u003erooms\u003c/code\u003e, or \u003ccode\u003etype\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSQL Injection\u003c/strong\u003e: The web application processes the request, and due to insufficient input sanitization, the embedded malicious SQL payload is passed directly to the backend database for execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDatabase Interaction\u003c/strong\u003e: The database server executes the attacker-controlled SQL query, which can be designed to retrieve, modify, or delete sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e: The results of the malicious SQL query, such as sensitive user credentials, payment information, or other confidential data, are returned within the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The attacker extracts the disclosed sensitive data, compromising the confidentiality of the application's database content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The successful SQL injection allows unauthorized access to the application's database, leading to potential data theft, manipulation, or denial of service, depending on the attacker's objectives and database privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14754 directly compromises the confidentiality and integrity of the data stored within the application's database. Attackers can exfiltrate sensitive customer and reservation data, modify booking details, or potentially manipulate administrator credentials for further access. While a specific number of victims is not available, any organization utilizing code-projects Hotel and Tourism Reservation 1.0 is at risk, particularly those with internet-facing deployments. The remote nature of the attack means that compromise can occur without physical access or prior authentication, making the impact widespread for affected instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch\u003c/strong\u003e: Immediately apply any available patches or updates for code-projects Hotel and Tourism Reservation 1.0 as they become available to address CVE-2026-14754.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Input Validation\u003c/strong\u003e: Deploy the Sigma rule \u003ccode\u003eCVE-2026-14754: Detect SQL Injection Attempts in Hotel Reservation System\u003c/code\u003e to your web application firewall (WAF) or SIEM to detect and potentially block requests containing SQL injection payloads targeting \u003ccode\u003e/admin/add_room.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Web Server Logs\u003c/strong\u003e: Ensure comprehensive logging is enabled for your web server (e.g., IIS, Apache, Nginx) to capture detailed HTTP request information, including full URI-stem and query parameters, which are crucial for activating the detection rule above.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Database Privileges\u003c/strong\u003e: Restrict the privileges of the database user account used by the web application to the absolute minimum necessary to function, thereby limiting the potential damage from a successful SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T14:22:49Z","date_published":"2026-07-05T14:22:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14754-hotel-reservation-sqli/","summary":"A critical SQL injection vulnerability (CVE-2026-14754) in code-projects Hotel and Tourism Reservation 1.0's `/admin/add_room.php` file allows a remote, unauthenticated attacker to manipulate arguments such as `delete_image`, `edit`, `description`, `number`, `price`, `rooms`, or `type` to execute arbitrary SQL commands, leading to sensitive data exposure and potential database compromise.","title":"CVE-2026-14754: SQL Injection in code-projects Hotel and Tourism Reservation","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14754-hotel-reservation-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Code-Projects","version":"https://jsonfeed.org/version/1.1"}