CVE-2026-36942 Unknown Vendor CVE debrief

Who should care

Administrators and maintainers of Sourcecodester Online Resort Management System v1.0 deployments, especially teams responsible for admin-panel hardening, code review, and vulnerability management.

Technical summary

The CVE record and supporting reference describe SQL injection (CWE-89) in the admin activity management script /orms/admin/activities/manage_activity.php. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, indicating network-reachable exploitation with low complexity but requiring high privileges, and only limited confidentiality impact is stated in the provided data.

Defensive priority

Routine / low urgency, but still worth tracking in the next maintenance window because the issue affects an administrative code path and is explicitly documented in the CVE record.

Recommended defensive actions

• Confirm whether Sourcecodester Online Resort Management System v1.0 is deployed anywhere in your environment.
• Review the referenced report and any vendor or maintainer advisories for a fixed release or remediation guidance.
• Apply an update, patch, or compensating control as soon as a verified fix is available.
• Restrict access to the affected admin functionality to trusted users and trusted networks only.
• Review the affected code path for parameterized database queries and input validation.
• Monitor application and database logs for unusual query errors or unexpected access to the admin activities page.

Evidence notes

All claims here are limited to the supplied CVE data and the linked public reference. The CVE was published on 2026-04-13 and last modified on 2026-05-10. The provided NVD metadata lists the vulnerability status as Deferred, references CWE-89, and includes a single external report at the GitHub URL supplied in the source corpus. No KEV entry is present in the supplied timeline/enrichment data.

Official resources