CVE-2026-13555
HighCVSS 7.3Summary
A SQL injection vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_users/controller.php?action=add. Manipulation of the Name argument allows remote SQL injection. The exploit has been made public, increasing attack risk.
Risk Assessment
An attacker can remotely extract, modify, or delete database data, including user and booking information, leading to confidentiality and integrity breaches.
Recommendation
Immediately implement parameterized SQL queries or input validation for the Name argument. Update the system to the latest version or apply temporary patches.
Original NVD description (English source)
A vulnerability was found in itsourcecode Online Hotel Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/mod_users/controller.php?action=add. The manipulation of the argument Name results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

