Cyber Resilience

CVE-2026-5551

Medium

Published: 05 April 2026

Published
05 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5551 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5551 is a SQL injection vulnerability in the itsourcecode Free Hotel Reservation System 1.0, specifically affecting unknown code in the file /hotel/admin/login.php within the Parameter Handler component. The flaw arises from manipulation of the 'email' argument, enabling remote SQL injection attacks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2026-04-05.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service via injected SQL payloads targeting the login functionality.

Advisories and references, including a GitHub issue at https://github.com/jasonwong666/cve/issues/1 detailing the public exploit, the vendor site at https://itsourcecode.com/, and VULDB entries at https://vuldb.com/submit/782845, https://vuldb.com/vuln/355315, and https://vuldb.com/vuln/355315/cti, provide further details but do not specify patches or mitigations in the available information.

The exploit has been publicly released, increasing the risk of real-world attacks against exposed instances of the affected software.

EU & UK References

Vulnerability details

A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/login.php of the component Parameter Handler. The manipulation of the argument email results in sql injection. The attack may…

more

be launched remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in a public-facing web application (admin login.php) directly enables remote exploitation over the network with no authentication required, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Itsourcecode
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated 'email' parameter in /hotel/admin/login.php to block SQL injection exploits.

prevent

Identifies, reports, and corrects the specific SQL injection flaw in the Parameter Handler component of the Free Hotel Reservation System.

detect

Scans for and detects the SQL injection vulnerability CVE-2026-5551 in exposed instances of the affected software.

References