Skip to main content

Hotel and Tourism Reservation System CVE-2026-10288

| EUVD-2026-33762 MEDIUM
Improper Authentication (CWE-287)
2026-06-01 VulDB GHSA-qr63-7ppg-q2f9
PHP Authentication Bypass
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 01, 2026 - 21:22 NVD
HIGH MEDIUM
CVSS changed
Jun 01, 2026 - 21:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
Jun 01, 2026 - 20:52 vuln.today

DescriptionCVE.org

A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

AnalysisAI

Authentication bypass in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to defeat admin login by manipulating the Password argument processed by the password_verify function in /admin/login.php. The flaw is reachable over the network without prior authentication, and publicly available exploit code exists, increasing the likelihood of opportunistic abuse against exposed deployments.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed reservation system
Delivery
Locate /admin/login.php endpoint
Exploit
Send crafted Password parameter
Execution
Bypass password_verify check
Persist
Obtain admin session
Impact
Manipulate reservation/customer data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the /admin/login.php endpoint of a deployed code-projects Hotel and Tourism Reservation System 1.0 instance and the ability to submit a crafted Password parameter to the Admin Login form; per CVSS PR:N/UI:N no authentication or user interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates a network-reachable, low-complexity, unauthenticated attack with low impact across confidentiality, integrity, and availability - consistent with bypassing an admin login to a small PHP app. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker locates an internet-exposed instance of Hotel and Tourism Reservation System 1.0, retrieves the public proof-of-concept from the referenced GitHub repository (Xmyronn/Hotel-and-Tourism-Reservation-System---Authentication-Bypass), and submits a crafted POST request to /admin/login.php with a manipulated Password value that defeats the password_verify check. The attacker gains an authenticated admin session and can then manipulate reservations, customer data, or upload further content through admin functionality.
Remediation No vendor-released patch identified at time of analysis; operators should monitor https://code-projects.org/ and the VulDB entry at https://vuldb.com/vuln/367581 for an updated release of Hotel and Tourism Reservation System beyond 1.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all deployed instances of code-projects Hotel and Tourism Reservation System 1.0; isolate or restrict network access to the admin panel from untrusted sources; review authentication logs for suspicious attempts against /admin/login.php. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-10288 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy