CVE-2026-6142
Published: 13 April 2026
Summary
CVE-2026-6142 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6142, published on 2026-04-13, is a SQL injection vulnerability classified under CWE-74 and CWE-89 in the tushar-2223 Hotel Management System up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The flaw resides in an unknown functionality of the file /admin/roomdelete.php, where manipulation of the ID argument triggers the injection.
With a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), the vulnerability enables remote exploitation by unauthenticated attackers requiring only network access, low attack complexity, and no user interaction. Exploitation can result in low-level impacts to confidentiality, integrity, and availability through SQL injection.
Advisories reference a publicly available exploit on GitHub Gist, a project issue report at github.com/tushar-2223/Hotel-Management-System/issues/15, and VulDB entries. The project follows a rolling release model with no specific version details for affected or updated releases and was informed early via the issue report but has not responded, leaving no official patches or mitigations documented.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21770
Vulnerability details
A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is…
more
possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a publicly accessible web application (/admin/roomdelete.php) directly enables remote exploitation of a public-facing server via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the ID argument in /admin/roomdelete.php to block SQL injection manipulation.
Mandates timely identification and remediation of the SQL injection flaw in the vulnerable commit up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15.
Regular vulnerability scanning would detect the SQL injection vulnerability in /admin/roomdelete.php prior to exploitation.