{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3746", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-07T20:15:47.662Z", "datePublished": "2026-03-08T15:32:11.525Z", "dateUpdated": "2026-03-11T19:42:44.520Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-08T15:32:11.525Z"}, "title": "SourceCodester Simple Responsive Tourism Website Login Login.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Simple Responsive Tourism Website", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Login"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-07T21:20:51.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Choco094late (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.349724", "name": "VDB-349724 | SourceCodester Simple Responsive Tourism Website Login Login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349724", "name": "VDB-349724 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767882", "name": "Submit #767882 | sourcecodester.com Simple Responsive Tourism Website V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/CH0ico/CVE_choco_7", "tags": ["related"]}, {"url": "https://github.com/CH0ico/CVE_choco_7/blob/main/report.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:42:35.289377Z", "id": "CVE-2026-3746", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:42:44.520Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3746", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T19:42:35.289377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:42:41.518Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Simple Responsive Tourism Website Login Login.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "Choco094late (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "modules": ["Login"], "product": "Simple Responsive Tourism Website", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-07T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-07T21:20:51.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.349724", "name": "VDB-349724 | SourceCodester Simple Responsive Tourism Website Login Login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349724", "name": "VDB-349724 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767882", "name": "Submit #767882 | sourcecodester.com Simple Responsive Tourism Website V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/CH0ico/CVE_choco_7", "tags": ["related"]}, {"url": "https://github.com/CH0ico/CVE_choco_7/blob/main/report.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-08T15:32:11.525Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3746", "state": "PUBLISHED", "dateUpdated": "2026-03-11T19:42:44.520Z", "dateReserved": "2026-03-07T20:15:47.662Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-08T15:32:11.525Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:simple_responsive_tourism_website:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1F3930D5-8A1D-4675-BA33-98CFAFC5FF04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Login.php?f=login of the component Login. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en SourceCodester Simple Responsive Tourism Website 1.0. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo /tourism/classes/Login.PHP?f=login del componente Login. Esta manipulaci\u00f3n del argumento Username causa inyecci\u00f3n SQL. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado."}], "id": "CVE-2026-3746", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-08T16:16:01.600", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/CH0ico/CVE_choco_7"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/CH0ico/CVE_choco_7/blob/main/report.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.349724"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.349724"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.767882"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Simple Responsive Tourism Website", "source": "cna", "vendor": "SourceCodester"}, "product": "simple_responsive_tourism_website", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-16T04:14:56.473835+00:00", "value": {"mitigation_remediation": ["Check for and apply any updates or official patches from SourceCodester.", "Implement input sanitization or use prepared statements for the login functionality to prevent SQL injection.", "Configure the server to limit login attempts or block suspicious IPs and monitor logs for anomalies."], "summary": {"action": "Apply Patch", "impact": "Database compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Simple Responsive Tourism Website, version 1.0, supplied by SourceCodester. No further sub\u2011products or service versions are identified. Only this single version is known to contain the vulnerability.", "description_and_impact": "This vulnerability resides in the SourceCodester Simple Responsive Tourism Website version 1.0 and is triggered by manipulating the Username parameter in the login function at /tourism/classes/Login.php?f=login. The flaw allows an attacker to inject arbitrary SQL, which can lead to unauthorized database access, data modification, or potential data exfiltration. The entry states that the exploit can be launched remotely and has been publicly disclosed, meaning attackers could target vulnerable installations without physical proximity. Consequently, the application may expose sensitive user data or compromise the integrity of the underlying database.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the near term, and the vulnerability is currently not listed in the CISA KEV database. The attack vector is inferred to be remote, as the description explicitly allows exploitation from external hosts via the web interface. Attackers would need valid network connectivity to the target and would benefit from knowledge of the login URL path; once the injection succeeds, they could gain read or modify access to database contents. Given the modest severity and low exploitation probability, the risk to an organization depends largely on the sensitivity of the stored data and the overall exposure of the application to the internet."}}}}, "created": "2026-03-09T10:03:03.787223+00:00", "updated": "2026-04-16T04:15:24.082505+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$simple_responsive_tourism_website"]}