| Title | tushar-2223 Hotel Management System Latest SQL Injection |
|---|
| Description | A critical unauthenticated SQL injection vulnerability was discovered in the Hotel Management System. The id parameter in roomdelete.php and paymantdelete.php is directly concatenated into SQL queries without any input validation, leading to a full authentication bypass and unauthorized database manipulation.
Full technical details and Secret PoC:https://gist.github.com/freeloader9527/a9ab20c922c6aa2b3eabf93e01a40f6b |
|---|
| Source | ⚠️ https://github.com/tushar-2223/Hotel-Management-System/issues/15 |
|---|
| User | wacool (UID 72886) |
|---|
| Submission | 04/02/2026 18:39 (11 days ago) |
|---|
| Moderation | 04/12/2026 09:51 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 357006 [tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 /admin/roomdelete.php ID sql injection] |
|---|
| Points | 20 |
|---|