CVE Catalog

CVE-2026-13554

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

A cross-site scripting vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote script injection. The exploit has been disclosed.

Risk Assessment

An attacker can remotely execute malicious scripts in the administrator's browser, potentially leading to session theft, defacement, or data theft.

Recommendation

Immediately update the system to the latest version or apply input filtering (validation and sanitization) for the Name argument in controller.php.

Original NVD description (English source)

A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS