CVE-2026-4237
Published: 16 March 2026
Summary
CVE-2026-4237 is a high-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SQL injection flaw in /hotel/admin/mod_reports/index.php for CVE-2026-4237 through timely patching and flaw correction processes.
Requires validation of the 'Home' argument to block malicious SQL payloads targeting the vulnerable code in mod_reports/index.php.
Vulnerability scanning detects and prioritizes SQL injection issues like CVE-2026-4237 in deployed Free Hotel Reservation System instances for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing web application (PHP admin module) directly enables initial access via exploitation of an internet-facing service, matching T1190.
NVD Description
A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote.…
more
The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-4237 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Free Hotel Reservation System 1.0. The issue affects unknown code in the file /hotel/admin/mod_reports/index.php, where manipulation of the "Home" argument enables the injection. Published on 2026-03-16, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as high severity.
Remote attackers require no privileges or user interaction to exploit this flaw over the network with low complexity. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories from VulDB (ctiid.351179, id.351179, submit.771243) document the vulnerability, and a related GitHub issue in silver-guide provides further details. The vendor site at itsourcecode.com may offer updates, though no specific patches are detailed in the available information.
An exploit has been publicly disclosed and may be actively used, heightening the risk for unpatched deployments of this system.
Details
- CWE(s)