CVE-2026-14755 in Hotel and Tourism Reservationinfo

Summary

by MITRE • 07/05/2026

A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/reservations.php of the component Reservations Management Page. The manipulation of the argument delete leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

This vulnerability resides within the code-projects Hotel and Tourism Reservation 1.0 application where a sql injection flaw has been identified in the administrative reservations management interface. The specific weakness occurs in the /admin/reservations.php file when processing the delete parameter, creating an avenue for malicious actors to execute unauthorized database operations through crafted input manipulation. The vulnerability represents a critical security risk as it allows remote exploitation without requiring authentication or privileged access to the system. The attack vector is particularly concerning because it enables attackers to perform arbitrary sql commands against the underlying database, potentially leading to data exfiltration, modification of reservation records, or complete database compromise.

The technical implementation of this vulnerability demonstrates poor input validation practices where user-supplied data from the delete parameter is directly incorporated into sql query construction without proper sanitization or parameterization. This pattern aligns with CWE-89 which specifically addresses sql injection vulnerabilities arising from inadequate input handling in database operations. The flaw occurs at the application layer where user-controllable inputs are concatenated into sql statements rather than utilizing prepared statements or parameterized queries as recommended by industry security standards. Attackers can exploit this by crafting malicious payloads in the delete argument that manipulate the sql execution flow, potentially extracting sensitive information such as user credentials, reservation details, or system configuration data.

The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise potential. Remote attackers can leverage this weakness to gain unauthorized access to confidential reservation data including guest personal information, payment details, and booking records that are typically protected by database access controls. The disclosure of this exploit to the public means that malicious actors can readily utilize automated tools or manual techniques to target installations running this vulnerable version of the hotel reservation system. Organizations using this software face significant risk of regulatory violations under data protection laws such as gdpr, pci dss, and hipaa due to potential exposure of sensitive personal information.

Mitigation strategies should prioritize immediate patching of the affected application to address the sql injection vulnerability through proper input validation and parameterized query implementation. System administrators must ensure that all user inputs are properly sanitized before processing and that prepared statements or stored procedures are utilized for database interactions. Network-level protections including web application firewalls and intrusion detection systems can provide additional defense in depth measures, though these should not replace proper code remediation. Regular security assessments and vulnerability scanning of deployed applications should be conducted to identify similar weaknesses in other components. The implementation of principle of least privilege access controls and regular database audit logging will help detect unauthorized access attempts and minimize potential damage from successful exploitation attempts. Organizations should also consider implementing automated patch management processes to ensure timely deployment of security updates across all system components.

Responsible

VulDB

Disclosure

07/05/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00269

KEV

no

Activities

low

Sector

Hospital

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!