CVE-2026-2848

HIGH

SourceCodester Tourism Website 1.0 - SQL Injection

Title source: llm

Description

A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Master.php?f=register of the component Registration. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

Exploits (1)

nomisec SUSPICIOUS

by richardpaimu34 · poc

https://github.com/richardpaimu34/CVE-2026-2848

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, Issue Tracking] https://github.com/anupeng/CVE/issues/1

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.347084

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.347084

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.753967

[Product] https://www.sourcecodester.com/

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-74 CWE-89

Status published

Affected Products (1)

oretnom23/simple_responsive_tourism_website

Timeline

Published Feb 20, 2026

Tracked Since Feb 21, 2026