Vulnerabilities ›

CVE-2026-4876

Medium

CWE-74 — Weakness Type

                    Published: Mar 26, 2026                      ·  Modified: Mar 29, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability was identified in itsourcecode Free Hotel Reservation System 1.0. The impacted element is an unknown function of the file /admin/mod_amenities/index.php?view=editpic. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

🤖 AI Executive Summary

CVE-2026-4876 is a SQL injection vulnerability in itsourcecode Free Hotel Reservation System 1.0 affecting the admin amenities module. The vulnerability allows remote attackers to manipulate the ID parameter in /admin/mod_amenities/index.php?view=editpic to execute arbitrary SQL queries. With a CVSS score of 6.3 and publicly available exploit code, this poses a moderate risk to hotel and hospitality organizations in Saudi Arabia.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 17, 2026 21:54

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi hospitality and tourism sector organizations using this open-source system, including independent hotels, resorts, and booking management companies. Secondary impact extends to government tourism authorities and travel agencies managing reservations. The SQL injection could lead to unauthorized database access, guest data theft (PII), booking manipulation, and potential financial fraud. Organizations in Riyadh, Jeddah, and other major tourism hubs are at elevated risk.

🏢 Affected Saudi Sectors

Hospitality & Tourism Hotel Management Travel & Booking Agencies Government Tourism Authorities Resort Management

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1213 - Data from Information Repositories T1040 - Traffic Capture or Redirection

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all instances of itsourcecode Free Hotel Reservation System 1.0 in your environment

2. Restrict admin access to /admin/mod_amenities/ module to trusted networks only using WAF or firewall rules

3. Implement input validation: sanitize and parameterize all ID parameters using prepared statements

4. Enable SQL error suppression to prevent information disclosure



Patching Guidance:

5. Contact itsourcecode for security updates or consider migrating to maintained alternatives

6. If no patch available, apply compensating controls immediately



Compensating Controls:

7. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in the ID parameter

8. Implement database activity monitoring (DAM) to detect anomalous SQL queries

9. Apply principle of least privilege to database user accounts used by the application

10. Enable comprehensive audit logging for all admin module access



Detection Rules:

11. Monitor for SQL keywords (UNION, SELECT, DROP, INSERT) in ID parameter values

12. Alert on multiple failed database queries from admin module

13. Track unusual database connection patterns or privilege escalation attempts

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نسخ نظام حجز الفنادق المجاني من itsourcecode الإصدار 1.0 في بيئتك

2. تقييد الوصول الإداري إلى وحدة /admin/mod_amenities/ للشبكات الموثوقة فقط باستخدام WAF أو قواعد جدار الحماية

3. تطبيق التحقق من المدخلات: تطهير وتحديد معاملات ID باستخدام الاستعلامات المحضرة

4. تفعيل قمع أخطاء SQL لمنع الكشف عن المعلومات

إرشادات التصحيح:

5. التواصل مع itsourcecode للحصول على تحديثات أمان أو النظر في الهجرة إلى بدائل مدعومة

6. إذا لم يكن هناك تصحيح متاح، طبق الضوابط البديلة فوراً

الضوابط البديلة:

7. نشر قواعد جدار تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل ID

8. تطبيق مراقبة نشاط قاعدة البيانات (DAM) للكشف عن استعلامات SQL غير الطبيعية

9. تطبيق مبدأ أقل امتياز على حسابات مستخدمي قاعدة البيانات المستخدمة من التطبيق

10. تفعيل تسجيل التدقيق الشامل لجميع عمليات الوصول إلى الوحدة الإدارية

قواعد الكشف:

11. مراقبة كلمات SQL الرئيسية (UNION, SELECT, DROP, INSERT) في قيم معامل ID

12. التنبيه على استعلامات قاعدة بيانات متعددة فاشلة من الوحدة الإدارية

13. تتبع أنماط اتصال قاعدة البيانات غير العادية أو محاولات تصعيد الامتيازات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.14.2.5 - Secure coding practices ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.BE-5 - Organizational resilience SAMA CSF PR.DS-6 - Data is protected from unauthorized access SAMA CSF DE.CM-1 - The network is monitored for unauthorized connections

🟡 ISO 27001:2022

ISO 27001:2022 A.8.1.3 - Segregation of duties ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.14.2.5 - Secure coding practices ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 6.2 - Security patches and updates

🔗 References & Sources 5

🔗

https://github.com/bybinyu/Vulnerability-Practice/issues/5

cna@vuldb.com

🔗

https://itsourcecode.com/

cna@vuldb.com

🔗

https://vuldb.com/?ctiid.353559

cna@vuldb.com

🔗

https://vuldb.com/?id.353559

cna@vuldb.com

🔗

https://vuldb.com/?submit.777352

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-74

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-03-26

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-4876

Introduce Yourself

Sign In Required