CVE-2026-36937

Vulnerability

The Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/reservations/view_details.php. The id parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

An attacker must be authenticated as an admin (default credentials admin/admin123) to access the vulnerable endpoint. The injection is performed via a GET request to /orms/admin/reservations/view_details.php?id=-2' union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14--+, which leaks the database name (orms_db) in the response [1]. No special network position is required beyond access to the admin panel.

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, such as user credentials or reservation data. The CVSS v3 score of 2.7.2 reflects the need for authentication requirement but still enables significant data disclosure [1].

Mitigation

As of the publication date (2026-04-13), no official patch has been released. The vendor (sourcecodester) has not addressed this issue. Users should apply input validation and use prepared statements to mitigate the vulnerability [1].