CVE-2026-36941

Vulnerability

Overview

The Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the /orms/admin/rooms/manage_room.php script. The vulnerability exists within the id parameter, which is not properly sanitized before being used in SQL queries. The injection can be performed using a standard UNION-based payload, as demonstrated with the input: id=-1' union select 1,database(),3,4,5,6,7,8,9,10--+. This allows an attacker to extract data from the database [1].

Exploitation

Prerequisites

Exploitation requires prior authentication; the vulnerability is only exploitable after logging in through the administrative panel. The reference provides default credentials (admin/admin123) which, when used, grant access to the vulnerable page [1]. The attack is conducted via HTTP GET requests to the endpoint, making it straightforward to execute with tools like curl or a browser's developer console.

Impact

A successful SQL injection can allow an authenticated attacker to retrieve sensitive information from the backend database. The PoC payload returns the database name (orms_db) and can be extended to dump other tables and records. Given the low CVSS score of 2.7, the impact is limited to moderate confidentiality loss, as authentication and proper network segmentation reduce the overall risk [1].

Mitigation

As of the publication date, no official patch has been released for this specific vulnerability. The vendor may need to implement parameterized queries or input validation on the id parameter. Users should consider restricting access to the admin panel and applying web application firewall rules to filter SQL injection attempts. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.