CVE-2026-3710 is a SQL injection vulnerability identified in the Simple Flight Ticket Booking System version 1.0 developed by code-projects. The vulnerability resides in the /Adminadd.php script, where multiple input parameters including flightno, airplaneid, departure, dtime, arrival, atime, ec, ep, bc, and bp are improperly sanitized. This improper input validation allows an attacker with high privileges to inject malicious SQL queries remotely, potentially manipulating the backend database. The CVSS 4.0 base score is 5.1, reflecting a medium severity level due to the requirement of high privileges and the limited scope of impact. The vulnerability affects confidentiality, integrity, and availability by enabling unauthorized data access or modification. No user interaction is required for exploitation, and the attack vector is network-based, making remote exploitation feasible. Although no known exploits are currently active in the wild, the public disclosure of exploit details increases the risk that attackers may develop and deploy exploits. The lack of available patches or updates at the time of disclosure necessitates immediate mitigation efforts by affected organizations.

The SQL injection vulnerability in the Simple Flight Ticket Booking System can lead to unauthorized access to sensitive flight booking data, manipulation or deletion of records, and potential disruption of booking services. Attackers exploiting this flaw could compromise the confidentiality of passenger information, alter flight schedules or booking details, and degrade system availability. Given the system’s role in managing flight ticket bookings, such impacts could result in financial losses, reputational damage, and regulatory compliance violations for affected organizations. The requirement for high privileges limits the attack surface somewhat, but insider threats or compromised administrative accounts could be leveraged to exploit this vulnerability. The public disclosure of the exploit details increases the likelihood of exploitation attempts, especially in environments where the system remains unpatched or unmitigated.

Organizations using the affected Simple Flight Ticket Booking System version 1.0 should immediately review and restrict administrative access to trusted personnel only, minimizing the risk of privilege abuse. Input validation and parameter sanitization should be implemented or enhanced in the /Adminadd.php script to prevent SQL injection, ideally using prepared statements or parameterized queries. If vendor patches or updates become available, they should be applied promptly. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting the vulnerable parameters. Regular security audits and code reviews should be conducted to identify and remediate similar vulnerabilities. Additionally, monitoring and logging of administrative actions and database queries can help detect suspicious activities indicative of exploitation attempts. Organizations should also consider isolating the booking system from public networks or restricting access via VPN or other secure channels to reduce exposure.