CVE-2026-3746 – CVE-2026-3746 is an SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2026-3746?

CVE-2026-3746 has a CVSS score of 7.3 (HIGH). CVE-2026-3746 is an SQL injection vulnerability in SourceCodester Simple Responsive Tourism Website 1.0 that allows attackers to execute arbitrary SQL commands via the username parameter in the login component. This affects all deployments of version 1.0 where the vulnerable file is accessible. Attackers can potentially steal sensitive data, modify database contents, or gain unauthorized access.

📋 TL;DR

CVE-2026-3746 is an SQL injection vulnerability in SourceCodester Simple Responsive Tourism Website 1.0 that allows attackers to execute arbitrary SQL commands via the username parameter in the login component. This affects all deployments of version 1.0 where the vulnerable file is accessible. Attackers can potentially steal sensitive data, modify database contents, or gain unauthorized access.

💻 Affected Systems

Products:

SourceCodester Simple Responsive Tourism Website

Versions: 1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability is in the core login functionality.

📦 What is this software?

Simple Responsive Tourism Website by Oretnom23

View all CVEs affecting Simple Responsive Tourism Website →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential server takeover via SQL injection escalation.

🟠

Likely Case

Unauthorized access to sensitive user data, authentication bypass, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects the login component which is typically internet-facing.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability is in the login page which is typically accessible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or prepared statements to the login.php file to prevent SQL injection.

Modify /tourism/classes/Login.php to use prepared statements instead of direct string concatenation

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Configure WAF rules to detect and block SQL injection patterns in login requests

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system from critical assets
Deploy intrusion detection systems to monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if the file /tourism/classes/Login.php exists and contains unsanitized user input in SQL queries. Test with SQL injection payloads in the username field.

Check Version:

Check the version information in the application's documentation or configuration files.

Verify Fix Applied:

Test the login functionality with SQL injection payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in login attempts
Multiple failed login attempts with SQL keywords
Database error messages in application logs

Network Indicators:

HTTP POST requests to /tourism/classes/Login.php containing SQL keywords in parameters
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (url="/tourism/classes/Login.php" AND (username="*' OR *" OR username="*;*" OR username="*--*"))

📊 Metadata

CVE ID: CVE-2026-3746

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: March 8, 2026

Last Updated: March 9, 2026

🔗 References

https://github.com/CH0ico/CVE_choco_7 Exploit,Mitigation,Third Party Advisory
https://github.com/CH0ico/CVE_choco_7/blob/main/report.md Exploit,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.349724 Permissions Required,VDB Entry
https://vuldb.com/?id.349724 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.767882 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3746, you might also want to check these: