CVE-2026-36942

Vulnerability

Overview

Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php. The id parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. This vulnerability is classified as low severity with a CVSS v3 score of 2.7 [1].

Exploitation

Details

An attacker must first authenticate to the admin panel (default credentials admin/admin123 are provided in the reference). The injection point is the id parameter in the GET request to /orms/admin/activities/manage_activity.php. A proof-of-concept payload demonstrates a UNION-based injection that retrieves the database name: id=-3' union select 1,database(),3,4,5,6,7,8--+ [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, such as user credentials, personal data, or other application secrets. The vulnerability could be leveraged to gain further access or escalate privileges within the system.

Mitigation

As of the publication date (2026-04-13), no official patch has been released. The vendor (Sourcecodester) has not provided an update. Users should apply input validation and parameterized queries to mitigate the risk. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.