CVE-2026-36938

The vulnerability is a SQL injection flaw in the /orms/admin/rooms/view_room.php file of Sourcecodester Online Resort Management System v1.0. The id parameter in the URL is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation requires an authenticated admin session (default credentials admin/admin123 are provided in the reference). The attacker sends a crafted GET request to /orms/admin/?page=rooms/view_room&id= with a malicious payload, such as a UNION-based injection to extract database information. The reference demonstrates a payload that retrieves the database name (orms_db) [1].

Successful exploitation could allow an authenticated attacker to read, modify, or delete arbitrary data in the underlying MySQL database. This includes sensitive information such as user credentials, reservation details, and other application data. The impact is limited by the low CVSS score (2.7) due to the requirement for authentication and the specific attack vector.

As of the publication date (April 13, 2026), no official patch has been released by Sourcecodester. The vendor's website indicates the software is available for download, but no security update is mentioned. Users should apply input validation and use prepared statements to mitigate the risk. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.