Skip to main content

Ship Ferry Ticket Reservation System CVE-2026-10876

| EUVDEUVD-2026-34772 LOW
Incorrect Privilege Assignment (CWE-266)
2026-06-05 cna@vuldb.com GHSA-cf7f-3hv9-8wph
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 00:31 vuln.today

DescriptionCVE.org

A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Improper authorization in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows authenticated remote attackers with low privileges to manipulate the page argument on the /admin/ endpoint, bypassing access controls and gaining unauthorized access to administrative functionality. The CVSS 4.0 vector (PR:L) confirms exploitation requires a valid low-privileged account rather than unauthenticated access. Publicly available exploit code exists (E:P in CVSS 4.0 vector, corroborated by a published Medium writeup), though the overall severity is rated Low (2.1) due to limited confidentiality, integrity, and availability impact with no scope change to subsequent systems.

Technical ContextAI

The affected product is SourceCodester Ship Ferry Ticket Reservation System 1.0, a PHP-based open-source reservation application distributed via sourcecodester.com. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the /admin/ endpoint does not properly validate the privilege level of the authenticated session when processing the page query parameter. Rather than enforcing role-based access controls server-side, the application appears to trust client-supplied page values to gate administrative views, allowing a low-privileged user to traverse to restricted admin pages by crafting parameter values outside their intended scope. No CPE string was provided in the source data, but the product version is confirmed as 1.0.

RemediationAI

No vendor-released patch has been identified at time of analysis; the vulnerability was reported through VulDB (submission 831870) and no corresponding advisory from SourceCodester has been referenced. As a compensating control, restrict access to the /admin/ directory at the web server level using IP allowlisting (e.g., via Apache Require ip directives or nginx allow/deny blocks) to ensure only trusted administrator IPs can reach the endpoint - note this trades off flexibility for remote admin access. Additionally, enforce strict server-side role validation for all page parameter values in the admin controller, rejecting any value not explicitly mapped to the authenticated user's privilege level. Operators running this system in internet-facing environments should consider taking the admin interface offline or behind a VPN until a code-level fix is available. See the VulDB entry at https://vuldb.com/vuln/368366 and the researcher's writeup at https://medium.com/@hemantrajbhati5555/missing-authorization-in-sourcecodester-ship-ferry-ticket-reservation-system-leads-to-unauthorized-7783134d6596 for technical details.

Share

CVE-2026-10876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy