平台
php
组件
vulnerability-practice
修复版本
1.0.1
CVE-2026-4876 is a vulnerability affecting PocketMine-MP servers related to the handling of JSON payloads within ModalFormResponsePacket. An attacker can exploit this by sending excessively large JSON responses, leading to denial-of-service conditions due to excessive memory and CPU usage. This vulnerability impacts PocketMine-MP versions 5.9.0 and earlier, requiring the player to be actively connected to the server. A patch addressing this issue has been released in version 5.39.2.
A SQL injection vulnerability has been identified in itsourcecode Free Hotel Reservation System version 1.0. This flaw, cataloged as CVE-2026-4876, affects an unknown function within the file /admin/mod_amenities/index.php?view=editpic. A remote attacker can exploit this vulnerability by manipulating the 'ID' argument, potentially allowing unauthorized access to the database, modification or deletion of sensitive data, and even execution of malicious code on the server. The public availability of an exploit exacerbates the risk, as it facilitates its use by malicious actors. The vulnerability's severity is rated at 6.3 according to CVSS, indicating a moderate to high risk.
The vulnerability is exploited through manipulation of the 'ID' parameter in the URL /admin/mod_amenities/index.php?view=editpic. An attacker can inject malicious SQL code into this parameter, which is then executed on the system's database. The remote nature of the exploitation means an attacker does not need physical access to the server to compromise the system. The public availability of the exploit facilitates the identification and use of the vulnerability by attackers with varying levels of technical skill. The lack of an official fix increases the window of opportunity for attackers to exploit the system.
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
Currently, no official fix has been provided by the developers of the Free Hotel Reservation System. The most effective immediate mitigation is to temporarily disable the affected functionality (/admin/mod_amenities/index.php?view=editpic) or restrict access to this page to authorized and trusted users only. It is strongly recommended to monitor the developer's website for security updates and apply the fix as soon as it becomes available. Additionally, implementing robust security practices, such as validating and sanitizing all user inputs, can help prevent future SQL injection vulnerabilities. Consider upgrading to a more secure version of the system, if available, as a preventative measure.
Actualizar a una versión parcheada del sistema de reservas de hotel. Si no hay una versión parcheada disponible, se recomienda deshabilitar o eliminar el sistema de reservas de hotel hasta que se pueda aplicar una solución. Alternativamente, se puede implementar una validación de entrada robusta en el parámetro ID en el archivo /admin/mod_amenities/index.php?view=editpic para prevenir la inyección SQL.
漏洞分析和关键警报直接发送到您的邮箱。
SQL injection is an attack technique that allows attackers to insert malicious SQL code into an application to access or manipulate the database.
Disabling the vulnerable functionality, restricting access, validating user inputs, and monitoring for security updates are important measures.
Currently, there is no official fix provided by the developer.
CVSS 6.3 indicates a moderate to high level of risk, meaning the vulnerability could be exploited relatively easily and have a significant impact.
Check the Free Hotel Reservation System developer's website and vulnerability databases like the National Vulnerability Database (NVD).
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。