CVE-2026-13555 itsourcecode CVE debrief

Who should care

Security teams and administrators responsible for itsourcecode Online Hotel Management System 1.0 should prioritize patching this vulnerability. The vulnerability's remote exploitability and public exploit availability increase the urgency for remediation. CVSS score of 5.5 indicates a medium severity level.

Technical summary

CVE-2026-13555 is a SQL injection vulnerability in the /admin/mod_users/controller.php?action=add file of itsourcecode Online Hotel Management System 1.0. The vulnerability occurs due to improper handling of user input in the Name argument. An attacker can exploit this vulnerability remotely, potentially leading to unauthorized data access or modification. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Patching this vulnerability is a high priority due to its remote exploitability and public exploit availability. Security teams should verify the system's inventory and apply the patch as soon as possible.

Recommended defensive actions

• Apply the official patch provided by the vendor.
• Verify the system's inventory to ensure it is vulnerable.
• Implement compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent SQL injection attacks.
• Monitor the system for suspicious activity.
• Perform regular vulnerability assessments and penetration testing to identify and address potential vulnerabilities.

Evidence notes

The CVE-2026-13555 vulnerability was found in itsourcecode Online Hotel Management System 1.0. The vulnerability affects the /admin/mod_users/controller.php?action=add file. The manipulation of the Name argument results in SQL injection. The attack can be launched remotely. The exploit has been made public and could be used. The CVSS score is 5.5, and the severity is MEDIUM.

Official resources