High severity7.3NVD Advisory· Published Sep 1, 2025· Updated Apr 29, 2026

CVE-2025-9790

Description

A security flaw has been discovered in SourceCodester Hotel Reservation System 1.0. This affects an unknown part of the file /admin/updateabout.php. The manipulation of the argument address results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in SourceCodester Hotel Reservation System 1.0 via the address parameter in /admin/updateabout.php allows remote code execution and data theft.

Vulnerability

Overview

CVE-2025-9790 describes a SQL injection vulnerability in SourceCodester Hotel Reservation System 1.0, specifically in the /admin/updateabout.php endpoint [1]. The root cause is that the address POST parameter is directly interpolated into SQL queries without any sanitization or use of prepared statements [1]. This allows an attacker to inject arbitrary SQL commands by manipulating the address value.

Exploitation

Details

The attack can be launched remotely without authentication [1]. The parameter is sent via POST to /newhotel/admin/updateabout.php. A public proof of concept using sqlmap demonstrates that the vulnerability is a time-based blind SQL injection, allowing automated exploitation [1]. No special network position is required beyond the ability to send HTTP requests to the affected endpoint.

Impact

Successful exploitation gives an attacker unauthorized access to the backend database [1]. This can lead to sensitive data leakage (e.g., user credentials, personal information), data tampering, privilege escalation, and potentially full control over the application environment [1]. The vendor's site [2] provides the software, but no official patch or advisory for this version has been released.

Mitigation

At the time of publication, no fix has been released by SourceCodester for version 1.0 [2]. Users should apply input validation and parameterized queries to the address parameter in /admin/updateabout.php, or consider discontinuing use of the vulnerable component until a patch is available [1]. Because a public exploit exists, immediate action is recommended.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Online Hotel Reservation Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/YoSheep/cve/blob/main/Online%20Hotel%20Reservation%20System%20In%20PHP%20With%20Source%20Code%20-%20SQL%20Injection%20in%20updateabout.php.mdnvdExploitThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry
www.sourcecodester.comnvdProduct

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-9790