CVE-2026-14763: Remote SQL Injection in PHP Reservations
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14763 |
| CVSS score | 7.3 (NVD); a referenced advisory also reports 7.5 / CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack vector | Remote / network |
| Authentication required | None, per the public advisory |
| Patch status | No confirmed official fixed version identified in the cited primary references |
TL;DR - Unauthenticated SQL injection affects Hotel and Tourism Reservation in PHP 1.0. - The
tourparameter in/admin/tour_reserves.phpis the reported injection point. - Public exploit details exist; no confirmed vendor-fixed release is known, so exposed instances should be treated as urgent.
What is CVE-2026-14763 and why does it matter?
CVE-2026-14763 is a reported remote SQL injection vulnerability in Hotel and Tourism Reservation in PHP 1.0, a project distributed through code-projects.org. The vulnerable component is the Tour Reservations Page, specifically the file /admin/tour_reserves.php, where the tour parameter can allegedly be manipulated to alter backend SQL execution. The available technical reporting characterizes the flaw as time-based blind SQL injection, which usually means an attacker can confirm injection and extract data without direct query output by measuring response delays.
For defenders, the key operational point is not just that this is SQL injection, but that it is described as remote and unauthenticated. If your organization has deployed this application on an internet-facing host, an attacker may not need credentials or user interaction to begin probing the endpoint. Even when the impact appears to be primarily confidentiality-focused, SQL injection against a reservation platform can expose customer records, booking details, administrative data, and sometimes application secrets stored in the database.
The NVD entry states that an exploit has been published and may be used. That is not the same as verified mass exploitation in the wild, but it materially changes risk. Public PoCs lower the skill barrier, increase opportunistic scanning, and shorten the time from disclosure to exploitation attempts. In practical terms, defenders should assume public-facing instances are likely to attract automated or semi-automated probing soon after publication.
It is also important to note what is not currently established from the provided sources. This CVE is not listed in CISA KEV at the time of writing, so there is no CISA-backed confirmation of active exploitation in the wild from that source alone. Where exploitation telemetry is absent, the safe assumption for defenders is still to treat the issue as high priority if the application is reachable externally and stores production data.
Affected products and version details
The affected product identified in the available references is Hotel and Tourism Reservation in PHP, distributed via code-projects.org. The confirmed affected version range from the provided references is only version 1.0. No broader version range was documented in the supplied source material, and no official vendor bulletin was cited that expands or narrows impact beyond that single release.
The reported vulnerable component is /admin/tour_reserves.php, with the public advisory showing the path as /ht/admin/tour_reserves.php in its example request. Defenders should not over-interpret that path discrepancy. In many PHP deployments, the application may be installed under a subdirectory such as /ht/, while the vulnerable file itself remains admin/tour_reserves.php. The important detection and mitigation focus is the file name and the tour POST parameter, not just the exact web root path shown in a single PoC.
A critical gap remains: no confirmed fixed version number is identified in the primary references provided. Because of that, this article cannot honestly state a known remediated release such as “fixed in 1.0.1” or similar. If you are running Hotel and Tourism Reservation in PHP 1.0, you should currently assume it is affected until you can verify source-code changes or obtain an official upstream statement.
Where versioning and patch data are incomplete, defenders should shift from “version-based confidence” to “asset-based validation.” That means inventorying deployments, checking whether tour_reserves.php exists, reviewing whether the tour parameter reaches SQL queries unsafely, and planning either code-level remediation or compensating controls if no maintained upstream package exists.
Exploitation status: PoC, in-the-wild use, and urgency
A public PoC exists. The supplied advisory includes a working HTTP POST example and timing evidence that supports the claim of time-based blind SQL injection. That means this is not a purely theoretical weakness. There is enough public detail for a practitioner, tester, or attacker to reproduce the issue against a vulnerable instance.
At the same time, confirmed exploitation in the wild is not established from the provided sources. The research note explicitly states that the CVE is not on the CISA Known Exploited Vulnerabilities catalog, and no other primary-source telemetry in the provided material confirms active campaigns, botnet use, or ransomware linkage. The correct defender statement is therefore: PoC available, but in-the-wild exploitation not confirmed from the cited sources.
This distinction matters operationally. Public PoC availability generally pushes a vulnerability into a faster remediation queue, especially when the attack is unauthenticated and remote. It does not necessarily mean every environment is already under active exploitation, but it does mean the window for safe delay is narrow, especially for exposed SMB systems that often run less monitored PHP apps.
If your organization lacks threat intelligence enrichment or WAF coverage, assume opportunistic attackers may test this endpoint soon. If the application is internal-only and shielded behind VPN or IP restrictions, urgency remains high but the immediate exposure may be lower. In either case, because there is no confirmed fixed version number, mitigation planning should begin with containment and code review, not just waiting for a package upgrade.
Technical details and root cause
The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL injection. Based on the advisory, the vulnerable input is the tour POST parameter submitted to tour_reserves.php. The issue appears to stem from unsafe incorporation of attacker-controlled input into a SQL query without proper parameterization.
The available PoC indicates a time-based blind technique using sleep() to trigger measurable delays. That pattern strongly suggests the application backend executes or evaluates injected SQL expressions even if query results are not directly rendered to the user. In practical exploitation, attackers can often use this approach to infer database structure, enumerate tables, and gradually extract sensitive data through conditional timing responses.
Technical Notes
The publicly cited PoC request is:
POST /ht/admin/tour_reserves.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded
clear=&tour=(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'*/
The advisory also includes timing evidence consistent with successful blind injection:
sleep(0) => 0.011s
sleep(3) => 3.017s
sleep(6) => 6.008s
sleep(15) => 15.005s
A secure coding pattern shown in the advisory uses prepared statements:
$stmt = $conn->prepare("SELECT * FROM tour_reserves WHERE tour=?");
$stmt->bind_param("i", $tour);
$stmt->execute();
Bottom line
CVE-2026-14763 is a high-severity unauthenticated remote SQL injection affecting Hotel and Tourism Reservation in PHP 1.0. The presence of a public PoC makes this more urgent, even though confirmed in-the-wild exploitation is not established from the cited sources and the CVE is not currently on CISA KEV.
The biggest operational complication is patch ambiguity: the affected version is known as 1.0, but the fixed version number is unknown from the provided references. For defenders, that means the right immediate action is to find exposed instances, restrict access, review logs, and patch the vulnerable code path with prepared statements and strict input validation rather than waiting for a clearly documented upstream release.
For additional information on related security concerns, check out our articles on what is shoulder surfing and the diamond model of intrusion analysis.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and hunting guidance
Detection should focus on requests to /admin/tour_reserves.php or equivalent installed paths, especially POST requests carrying suspicious values in the tour parameter. Since the reported technique is time-based blind SQL injection, defenders should also look for a pattern of repeated requests with unusual latency deltas, often in 3-, 6-, or 15-second increments if an attacker is following public examples.
In many environments, web access logs alone may not conclusively prove exploitation, because the malicious payload can be URL-encoded and the application may still return HTTP 200 responses. The combination that matters is: access to the vulnerable endpoint, anomalous parameter values, and corresponding backend or application response delays. If database audit logging is enabled, watch for use of SLEEP( or logically unnecessary subqueries tied to requests hitting this page.
Because this is a PHP application, defenders should also inspect custom app logs, reverse-proxy logs, and WAF telemetry. If the application sits behind Apache or Nginx, a burst of POST requests to the same administrative page from a single IP with varying tour values is a strong lead. If you have no logging on the app today, that itself is a gap worth correcting immediately while the issue is under triage.
Technical Notes
Example access-log pattern to search for:
POST /admin/tour_reserves.php
POST /ht/admin/tour_reserves.php
tour=(select(0)from(select(sleep(
tour=%28select%280%29from%28select%28sleep%28
Example grep-based hunt on a Linux web server:
grep -RIE 'tour_reserves\.php|sleep\(|tour=%28select|tour=\(select' /var/log/apache2/ /var/log/nginx/
Example Splunk query:
(index=web OR index=apache OR index=nginx)
(uri_path="/admin/tour_reserves.php" OR uri_path="/ht/admin/tour_reserves.php")
(method=POST)
(tour="*sleep(*" OR request_body="*sleep(*" OR request="*tour=%28select*")
| stats count min(response_time) max(response_time) values(src_ip) by uri_path, http_status
Example Sigma-style matching logic concept for a WAF or proxy pipeline:
detection:
selection_path:
cs-uri-stem:
- "/admin/tour_reserves.php"
- "/ht/admin/tour_reserves.php"
selection_body:
cs-uri-query|contains:
- "sleep("
- "select("
- "tour="
condition: selection_path and selection_body
Mitigation and patching
The most important limitation here is simple: no confirmed official fixed version number is available from the supplied primary references. That means there is no verified statement such as “affected: <=1.0, fixed: 1.0.1” that can be responsibly published based on current evidence. The only confirmed affected version in the provided material is 1.0, and the fixed version is unknown.
In the absence of a documented vendor patch, defenders have two immediate options: remove or restrict exposure and apply code-level remediation. If the application is internet-facing, place it behind IP allowlists, VPN-only access, or disable the vulnerable page entirely until the query handling is fixed. If the application is business-critical and must remain available, a WAF rule targeting the tour parameter and blocking SQLi syntax may reduce risk, but it should be treated as a temporary control rather than a substitute for code fixes.
The coding remediation pattern is straightforward: convert any SQL statement using the tour parameter into a prepared statement with strict type handling. The advisory’s example binds tour as an integer, which aligns with what defenders should want here. In addition, validate server-side that tour is an expected identifier, reject malformed values early, and avoid dynamic query construction with concatenated request input.
If you maintain the code locally, verify the vulnerable file directly and update the query implementation. If this application was deployed from a downloaded project archive rather than a managed package, traditional package-manager patch workflows may not exist. In that case, remediation must be handled as an application code change under your own change-control process.
Technical Notes
Example secure PHP pattern:
<?php
$tour = filter_input(INPUT_POST, 'tour', FILTER_VALIDATE_INT);
if ($tour === false || $tour === null) {
http_response_code(400);
exit('Invalid tour id');
}
$stmt = $conn->prepare("SELECT * FROM tour_reserves WHERE tour = ?");
$stmt->bind_param("i", $tour);
$stmt->execute();
$result = $stmt->get_result();
?>
If you need an immediate temporary workaround, restrict access to the file at the web server layer.
Apache example:
<Files "tour_reserves.php">
Require ip 192.0.2.0/24
</Files>
Nginx example:
location = /admin/tour_reserves.php {
allow 192.0.2.0/24;
deny all;
}
If the app is deployed under /var/www/html/ht, a practical change workflow may look like:
cd /var/www/html/ht/admin
cp tour_reserves.php tour_reserves.php.bak-2026-07-05
vi tour_reserves.php
php -l tour_reserves.php
systemctl reload apache2 || systemctl reload nginx
If you use Git to manage local app code:
git checkout -b hotfix/cve-2026-14763
git diff
git add admin/tour_reserves.php
git commit -m "Fix CVE-2026-14763 with prepared statement for tour parameter"
Practical response checklist
First, identify whether you actually run Hotel and Tourism Reservation in PHP 1.0 anywhere in your environment, including forgotten demo systems, staging hosts, or low-cost shared hosting used by business units. Small PHP reservation apps are often deployed outside central asset management, so discovery may require checking web roots, VM inventories, and hosted cPanel environments.
Second, determine exposure. If the application is publicly accessible, treat it as a higher-priority incident response and hardening task. Preserve relevant logs, hunt for requests targeting tour_reserves.php, and review database access patterns for suspicious timing or unusual reads. If suspicious traffic is found, consider the possibility of credential theft and review database user privileges, application config files, and any stored secrets.
Third, fix or contain. Because the fixed version number is unknown, the safest wording is not “upgrade to version X,” but rather “remediate the vulnerable code path and limit exposure until verified safe.” Once remediated, test the endpoint to confirm that non-integer or SQLi-style tour inputs are rejected and no longer produce timing-based delays.
References
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-14763
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Public advisory and PoC: https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md
- code-projects.org: https://code-projects.org/
- VulDB reference listed by NVD: https://vuldb.com/cve/CVE-2026-14763