CVE-2026-3806
Published: 09 March 2026
Summary
CVE-2026-3806 is a medium-severity Injection (CWE-74) vulnerability in Oretnom23 Resort Reservation System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3806 is a SQL injection vulnerability (CWE-74, CWE-89) in SourceCodester/janobe Resort Reservation System 1.0. The flaw affects the processing of the /room_rates.php file, where manipulation of the 'q' argument triggers the injection.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), allowing remote exploitation over the network with low attack complexity. It requires low privileges (PR:L) and no user interaction, enabling attackers with such access to achieve low-level impacts on confidentiality, integrity, and availability.
Advisories and details are documented in references including a GitHub proof-of-concept at https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Resort-Reservation-System---SQLi2.md and VulDB entries at https://vuldb.com/?ctiid.349772, https://vuldb.com/?id.349772, and https://vuldb.com/?submit.768999. The exploit has been publicly released and could be used for attacks; security practitioners should review these for mitigation steps.
Notable context includes the public availability of the exploit, published on 2026-03-09, increasing the risk of real-world exploitation against unpatched instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10299
Vulnerability details
A weakness has been identified in SourceCodester/janobe Resort Reservation System 1.0. This issue affects some unknown processing of the file /room_rates.php. This manipulation of the argument q causes sql injection. The attack can be initiated remotely. The exploit has been…
more
made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application (room_rates.php) directly enables remote exploitation of a public-facing app per T1190; low-priv authenticated access and public PoC confirm the mapping with no other techniques directly indicated.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'q' argument in room_rates.php to reject SQL metacharacters and block injection attempts.
Limits database privileges granted to the web application account so that a successful injection via the 'q' parameter cannot read or modify arbitrary data.
Requires prompt remediation of the known SQL injection flaw in /room_rates.php once the public exploit is identified.