CVE-2026-13554
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
A cross-site scripting vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote script injection. The exploit has been disclosed.
Risk Assessment
An attacker can remotely execute malicious scripts in the administrator's browser, potentially leading to session theft, defacement, or data theft.
Recommendation
Immediately update the system to the latest version or apply input filtering (validation and sanitization) for the Name argument in controller.php.
Original NVD description (English source)
A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

