CVE-2026-3746 - Vulnerability Analysis
HighCVSS: 7.3Last Updated: March 9, 2026
SourceCodester Simple Responsive Tourism Website - SQL Injection
Published: March 8, 2026Updated: March 9, 2026PoC AvailableRemote Exploitable
Overview
SourceCodester Simple Responsive Tourism Website 1.0 contains a sql injection caused by manipulation of the "Username" argument in /tourism/classes/Login.php?f=login, letting remote attackers execute arbitrary SQL commands, exploit requires no special privileges.
Severity & Score
Severity: High
CVSS Score: 7.3
Impact
Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
Mitigation
Update to the latest version or apply patches addressing SQL injection in Login component.
References
Related Resources
Details
- CVE ID
- CVE-2026-3746
- Severity
- High
- CVSS Score
- 7.3
- Type
- sql_injection
- Status
- confirmed
CWE
- CWE-74
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L