CVE-2026-13557
MediumCVSS 4.3Summary
A cross-site scripting vulnerability was found in itsourcecode Online Hotel Management System 1.0 in the file /admin/mod_room/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote injection of malicious scripts. The exploit is publicly available.
Risk Assessment
An attacker can steal administrator sessions, redirect users to malicious sites, or perform other actions in the victim's browser context, compromising the confidentiality and integrity of the system.
Recommendation
Immediately update the system to the latest version or apply a security patch. Additionally, implement input validation and sanitization for the Name argument.
Original NVD description (English source)
A vulnerability was identified in itsourcecode Online Hotel Management System 1.0. This vulnerability affects unknown code of the file /admin/mod_room/controller.php?action=add of the component POST Request Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used.

