CVE-2026-6142: Tushar-2223 Hotel Management System SQLi - PoC Available

Vendor-confirmed - CVE-2026-6142 is a high SQL injection in Tushar-2223 Hotel Management System up to commit bb1f3b36 that grants unauthenticated attackers arbitrary database read and data exfiltration. Apply WAF rules or restrict admin network access until a patch is released.

Overview

A high-severity SQL injection vulnerability, CVE-2026-6142, exists in the Tushar-2223 Hotel Management System. The flaw is located in the /admin/roomdelete.php file and is triggered by manipulating the ID argument. This allows an unauthenticated, remote attacker to execute arbitrary SQL commands on the underlying database.

Technical Details

The vulnerability stems from improper neutralization of special elements used in an SQL command within the room deletion functionality. Because the system follows a rolling release model, specific version numbers are not provided; all instances up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 are affected. The CVSS v3.1 base score is 7.3, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates the attack can be launched over a network with low complexity, requires no privileges or user interaction, and has a high impact on confidentiality.

Impact

Successful exploitation could allow an attacker to read, modify, or delete sensitive data from the application’s database. This includes potentially confidential guest information, booking records, and administrative credentials. The public availability of a proof-of-concept (PoC) exploit significantly increases the risk of attack attempts against unpatched systems.

Remediation and Mitigation

As the project maintainers have not yet released an official patch, immediate mitigation is critical.

• Primary Action: If possible, restrict network access to the Hotel Management System’s admin interface to trusted IP addresses only.
• Interim Fix: Implement a Web Application Firewall (WAF) with rules configured to block common SQL injection patterns.
• Code Fix: Manually sanitize and parameterize the ID input in the /admin/roomdelete.php file. All user-supplied input must be validated and escaped before being used in SQL queries.
• Monitoring: Closely monitor database and application logs for any suspicious query activity originating from the web application layer.

Users should monitor the project’s repository for an official security update. Given the public PoC, treating this vulnerability as a high-priority issue is advised.

Security Insight

This vulnerability highlights the persistent risk in smaller, open-source projects that utilize continuous delivery models. The lack of versioned releases can obscure the patch status for end-users, making asset management and vulnerability response more challenging. It echoes the pattern seen in other exploited web app flaws, where unpatched, internet-facing administrative interfaces become primary attack vectors, regardless of the vendor’s size.

Further Reading

• CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs