CVE-2026-3746: SQL Injection in SourceCodester Simple

CVE-2026-3746: Login SQL Injection in SourceCodester Tourism Website Enables Auth Bypass

A SQL injection vulnerability identified as CVE-2026-3746 has been disclosed in SourceCodester Simple Responsive Tourism Website 1.0, a PHP-based tourism and travel web application. The flaw is located in the application's login endpoint and allows remote, unauthenticated attackers to inject arbitrary SQL commands through the Username field — potentially achieving full authentication bypass or database extraction without valid credentials.

The vulnerability carries a CVSS v3.1 score of 7.3 (High) and is classified under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands. A public exploit has been released.

Vulnerability Overview

Technical Details

Affected Component

The vulnerability exists in the login processing class at /tourism/classes/Login.php?f=login. This endpoint handles user authentication by comparing the submitted username and password against records in the database. The Username parameter is interpolated directly into the SQL query rather than handled through parameterized statements, creating a classic pre-authentication SQL injection condition.

Exploitation Mechanism

Because the vulnerable parameter is in the login form, exploitation requires no prior authentication whatsoever. An attacker can submit a crafted username directly to the login endpoint:

POST /tourism/classes/Login.php?f=login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

Username=admin'--&Password=anything

Authentication bypass payload:

Username=' OR '1'='1'--
Password=irrelevant

Data extraction via UNION injection:

Username=' UNION SELECT NULL,username,password,NULL FROM users--

Depending on the database structure, a successful injection can:

• Bypass authentication entirely — logging in as any user, including administrators
• Enumerate database schemas — listing tables and columns
• Extract all stored data — user accounts, booking details, tour information, payment records
• Expose administrator credentials for further privilege escalation

Attack Flow

1. Attacker reaches the login page of an internet-exposed tourism website instance

2. Attacker submits SQL injection payload in the Username field of the login form

3. Malicious input is passed directly to the backend SQL query without sanitization

4. Authentication logic is bypassed — attacker gains logged-in access as admin

5. Alternatively, UNION-based injection extracts all records from the database

6. Attacker has full access to customer data, bookings, and administrative functions

Why Login SQLi Is Especially Dangerous

SQL injection vulnerabilities in login forms represent some of the most critical instances of this flaw class because:

1. Pre-authentication: The attack requires no existing credentials — the login page itself is the attack surface
2. Immediate privilege gain: Authentication bypass grants attacker-level access equal to the account being impersonated (often admin)
3. High discoverability: Login pages are publicly accessible by design, making them the first target in reconnaissance
4. Mass exploitation potential: Automated scanners routinely probe login endpoints for SQL injection, meaning exploitation can happen quickly after public exploit release

This vulnerability is particularly concerning given that a public exploit has already been released and SourceCodester applications are widely deployed.

Related Vulnerabilities

SourceCodester Simple Responsive Tourism Website has been the subject of multiple prior vulnerability disclosures. CVE-2026-2848 affected the same application's Registration/Master.php page with a similar SQL injection. This pattern of recurring SQLi vulnerabilities in the same codebase suggests the underlying issue is a lack of any consistent input validation framework across the application.

Remediation

No official patch has been released. Immediate mitigations include:

Access Controls

1. Take the application offline if it is publicly accessible and contains real user data — the login SQL injection is pre-authentication and trivially exploitable
2. Restrict access to trusted IP ranges if the application must remain accessible
3. Deploy a WAF with SQL injection rules covering the login endpoint

Code-Level Fix

Replace raw string interpolation in the login query with prepared statements:

// Vulnerable pattern (do not use)
$query = "SELECT * FROM users WHERE username = '" . $_POST['Username'] . "' AND password = '" . $_POST['Password'] . "'";
 
// Secure pattern (PDO)
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$_POST['Username'], hash('sha256', $_POST['Password'])]);

Additionally:

• Hash passwords using bcrypt or Argon2 — do not store or compare plaintext passwords
• Implement rate limiting on the login endpoint to prevent brute-force and enumeration attacks
• Log and alert on unusual login attempts or SQL error responses

Impact Assessment

Key Takeaways

1. CVE-2026-3746 is a pre-authentication SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 — the login Username parameter is unsanitized
2. CVSS 7.3 (High) — but the pre-authentication nature makes the practical severity higher than the score suggests for internet-facing deployments
3. Authentication bypass is trivially achievable with a single crafted login request
4. A public exploit has been released — any internet-accessible deployment should be treated as immediately at risk
5. SourceCodester tourism and hospitality applications have a history of similar SQLi flaws; all deployments should be audited for input validation issues

Sources

• CVE-2026-3746 — NIST NVD
• CVE-2026-3746 — TheHackerWire
• CVE-2026-2848: SourceCodester Tourism Website SQL Injection — VulDB

Related Reading

• CVE-2026-3730: SQL Injection in itsourcecode Free Hotel
• CVE-2026-3740: SQL Injection in itsourcecode University
• CVE-2026-3734: Improper Authorization in SourceCodester