<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Code-Projects - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/code-projects/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 15:20:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/code-projects/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14756: SQL Injection in code-projects Hotel and Tourism Reservation</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14756-sql-injection/</link><pubDate>Sun, 05 Jul 2026 15:20:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14756-sql-injection/</guid><description>A remote SQL injection vulnerability (CVE-2026-14756) exists in code-projects Hotel and Tourism Reservation version 1.0, allowing unauthenticated attackers to exploit improper input sanitization in the `delete_image` parameter of `/admin/add_tour.php` to bypass authentication, extract sensitive data, or manipulate database records, with a public exploit available.</description><content:encoded><![CDATA[<p>A critical SQL injection vulnerability, identified as CVE-2026-14756, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation web application. This flaw resides within the Tour Management Page component, specifically affecting the <code>/admin/add_tour.php</code> file. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to manipulate the <code>delete_image</code> argument with malicious SQL queries. This remote vulnerability enables unauthenticated attackers to bypass security measures, gain unauthorized access to the database, extract sensitive information, or corrupt data. The exploit details for this vulnerability have been publicly disclosed, increasing the urgency for immediate remediation due to the heightened risk of exploitation in the wild. Defenders must prioritize patching and implementing robust detection mechanisms.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an exposed instance of code-projects Hotel and Tourism Reservation version 1.0.</li>
<li>Attacker crafts a specially designed HTTP POST request targeting the <code>/admin/add_tour.php</code> endpoint.</li>
<li>The crafted request includes an SQL injection payload embedded within the <code>delete_image</code> parameter.</li>
<li>The vulnerable application processes this request without properly sanitizing the <code>delete_image</code> input, directly incorporating the malicious payload into a backend SQL query.</li>
<li>The database executes the attacker's injected SQL query, allowing for unauthorized data access, modification, or deletion.</li>
<li>Attacker leverages the successful SQL injection to bypass authentication, exfiltrate sensitive data (e.g., user credentials, booking details), or manipulate existing database records.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14756 can lead to severe consequences for organizations utilizing the vulnerable application. Attackers can gain full control over the application's database, leading to the compromise of customer personal identifiable information (PII), payment data, and sensitive business operational details. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption due to data manipulation or deletion. With the exploit publicly available, organizations face an immediate and high risk of data breaches and system integrity compromise if the vulnerability remains unpatched.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch or apply available updates for <code>code-projects Hotel and Tourism Reservation 1.0</code> to address <code>CVE-2026-14756</code>.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM for detection of <code>CVE-2026-14756</code> exploitation attempts.</li>
<li>Ensure Web Application Firewall (WAF) rules are configured to detect and block common SQL injection patterns, specifically targeting requests to <code>/admin/add_tour.php</code> with suspicious <code>delete_image</code> parameter values.</li>
<li>Monitor web server access logs for <code>/admin/add_tour.php</code> for requests containing known SQL injection syntax or unusual characters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>sql-injection</category><category>web-application</category><category>cve</category><category>code-projects</category></item><item><title>CVE-2026-14754: SQL Injection in code-projects Hotel and Tourism Reservation</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14754-hotel-reservation-sqli/</link><pubDate>Sun, 05 Jul 2026 14:22:49 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14754-hotel-reservation-sqli/</guid><description>A critical SQL injection vulnerability (CVE-2026-14754) in code-projects Hotel and Tourism Reservation 1.0's `/admin/add_room.php` file allows a remote, unauthenticated attacker to manipulate arguments such as `delete_image`, `edit`, `description`, `number`, `price`, `rooms`, or `type` to execute arbitrary SQL commands, leading to sensitive data exposure and potential database compromise.</description><content:encoded><![CDATA[<p>CVE-2026-14754 details a high-severity SQL injection vulnerability affecting code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in an unspecified function within the <code>/admin/add_room.php</code> file, allows remote, unauthenticated attackers to inject malicious SQL queries by manipulating specific arguments like <code>delete_image</code>, <code>edit</code>, <code>description</code>, <code>number</code>, <code>price</code>, <code>rooms</code>, or <code>type</code>. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the immediate risk to organizations using the affected software. Given its remote exploitability and the availability of public exploits, this vulnerability poses a significant threat to the confidentiality and integrity of data stored within the application's database. Defenders should prioritize patching or implementing strong input validation to prevent exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An unauthenticated attacker sends an HTTP POST or GET request to the <code>/admin/add_room.php</code> endpoint of the vulnerable Hotel and Tourism Reservation 1.0 web application.</li>
<li><strong>Parameter Manipulation</strong>: The attacker crafts the request to include malicious SQL syntax within one of the vulnerable arguments (e.g., <code>delete_image</code>, <code>edit</code>, <code>description</code>, <code>number</code>, <code>price</code>, <code>rooms</code>, or <code>type</code>).</li>
<li><strong>SQL Injection</strong>: The web application processes the request, and due to insufficient input sanitization, the embedded malicious SQL payload is passed directly to the backend database for execution.</li>
<li><strong>Database Interaction</strong>: The database server executes the attacker-controlled SQL query, which can be designed to retrieve, modify, or delete sensitive information.</li>
<li><strong>Information Disclosure</strong>: The results of the malicious SQL query, such as sensitive user credentials, payment information, or other confidential data, are returned within the HTTP response to the attacker.</li>
<li><strong>Data Exfiltration</strong>: The attacker extracts the disclosed sensitive data, compromising the confidentiality of the application's database content.</li>
<li><strong>Impact</strong>: The successful SQL injection allows unauthorized access to the application's database, leading to potential data theft, manipulation, or denial of service, depending on the attacker's objectives and database privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14754 directly compromises the confidentiality and integrity of the data stored within the application's database. Attackers can exfiltrate sensitive customer and reservation data, modify booking details, or potentially manipulate administrator credentials for further access. While a specific number of victims is not available, any organization utilizing code-projects Hotel and Tourism Reservation 1.0 is at risk, particularly those with internet-facing deployments. The remote nature of the attack means that compromise can occur without physical access or prior authentication, making the impact widespread for affected instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch</strong>: Immediately apply any available patches or updates for code-projects Hotel and Tourism Reservation 1.0 as they become available to address CVE-2026-14754.</li>
<li><strong>Implement Input Validation</strong>: Deploy the Sigma rule <code>CVE-2026-14754: Detect SQL Injection Attempts in Hotel Reservation System</code> to your web application firewall (WAF) or SIEM to detect and potentially block requests containing SQL injection payloads targeting <code>/admin/add_room.php</code>.</li>
<li><strong>Monitor Web Server Logs</strong>: Ensure comprehensive logging is enabled for your web server (e.g., IIS, Apache, Nginx) to capture detailed HTTP request information, including full URI-stem and query parameters, which are crucial for activating the detection rule above.</li>
<li><strong>Review Database Privileges</strong>: Restrict the privileges of the database user account used by the web application to the absolute minimum necessary to function, thereby limiting the potential damage from a successful SQL injection.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-application</category><category>cve</category><category>code-projects</category><category>remote-code-execution</category></item></channel></rss>