CVE-2026-5551
Published: 05 April 2026
Summary
CVE-2026-5551 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5551 is a SQL injection vulnerability in the itsourcecode Free Hotel Reservation System 1.0, specifically affecting unknown code in the file /hotel/admin/login.php within the Parameter Handler component. The flaw arises from manipulation of the 'email' argument, enabling remote SQL injection attacks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2026-04-05.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service via injected SQL payloads targeting the login functionality.
Advisories and references, including a GitHub issue at https://github.com/jasonwong666/cve/issues/1 detailing the public exploit, the vendor site at https://itsourcecode.com/, and VULDB entries at https://vuldb.com/submit/782845, https://vuldb.com/vuln/355315, and https://vuldb.com/vuln/355315/cti, provide further details but do not specify patches or mitigations in the available information.
The exploit has been publicly released, increasing the risk of real-world attacks against exposed instances of the affected software.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19050
Vulnerability details
A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/login.php of the component Parameter Handler. The manipulation of the argument email results in sql injection. The attack may…
more
be launched remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing web application (admin login.php) directly enables remote exploitation over the network with no authentication required, mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated 'email' parameter in /hotel/admin/login.php to block SQL injection exploits.
Identifies, reports, and corrects the specific SQL injection flaw in the Parameter Handler component of the Free Hotel Reservation System.
Scans for and detects the SQL injection vulnerability CVE-2026-5551 in exposed instances of the affected software.