MEDIUM 4.3

CVE-2026-10289: XSS Vulnerability in Hotel and Tourism Reservation System 1.0

A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a reflected XSS flaw (CWE-79) affecting the /ht/tour.php endpoint in Hotel and Tourism Reservation System 1.0. Input validation is insufficient on parameters including 'name', 'email', 'people', and 'number'. An attacker can craft a malicious URL containing JavaScript payload in any of these parameters; the application reflects the unsanitized input directly into the HTML response without encoding. This enables arbitrary client-side script execution in the context of the victim's session. The CVSS 3.1 score is 4.3 (Medium severity), with network-accessible attack vector, low complexity, no privilege requirement, but user interaction required (victim must click the link). Impact is limited to integrity (XSS execution), with no direct confidentiality or availability impact.

Business impact

Customers and staff accessing the reservation system are at risk of session hijacking, unauthorized booking modifications, or credential capture. Attackers can use this flaw to distribute phishing content or malware through seemingly legitimate system links. For hotel operators, compromised user sessions may lead to fraudulent reservations, reputation damage, and potential PCI compliance issues if payment details are exposed through XSS. The public availability of exploits accelerates attack likelihood.

Affected systems

Hotel and Tourism Reservation System version 1.0 is confirmed vulnerable. Systems running this application with exposed web interfaces are at risk, particularly those accessible to untrusted networks or used in multi-tenant or public-facing environments. The vulnerability exists in a core reservation function, meaning all deployments of this version are affected unless patched or mitigated.

Exploitability

The vulnerability has low exploitation barriers: no authentication is required to craft a malicious URL, complexity is low, and public exploits have been released. The primary constraint is user interaction—the victim must click or be redirected to a malicious link. Given that reservation systems may receive links via email, social engineering, or injected advertisements, user interaction is not a strong defense. Active exploitation in the wild is likely given the public disclosure and ease of weaponization.

Remediation

Upgrade Hotel and Tourism Reservation System to a patched version released after June 2026 (verify against the vendor advisory for the specific build). If an update is unavailable, implement strict input validation and output encoding: sanitize all user inputs on the server side using allowlists, and HTML-encode all reflected output. Apply a Web Application Firewall (WAF) rule to detect and block common XSS payloads in the affected parameters. Restrict access to /ht/tour.php to known IP ranges if possible. For active deployments, conduct a security review of other user-input handling in the application.

Patch guidance

Contact the vendor (code-projects) to confirm availability and timeline for Hotel and Tourism Reservation System 1.0 patches. Test any update in a staging environment before production deployment, as XSS fixes may affect form functionality. If the vendor has ended support for version 1.0, evaluate migration to a current version or alternative reservation system. Verify the patch resolves the named parameters (name, email, people, number) and apply across all instances.

Detection guidance

Monitor web server logs for suspicious parameters in requests to /ht/tour.php containing encoded or obfuscated JavaScript (e.g., <script>, onerror=, onclick=, or JavaScript: protocol). Deploy WAF rules to flag and block common XSS patterns in the name, email, people, and number fields. Use security testing tools (e.g., OWASP ZAP, Burp Suite) to scan for reflected XSS in your deployment. Review user session logs for unusual activity post-compromise, such as unauthorized booking modifications or mass reservation deletions.

Why prioritize this

While the CVSS score is moderate (4.3), this vulnerability merits rapid attention due to public exploit availability and active exploitation potential. XSS flaws in customer-facing reservation systems expose user sessions and payment data to compromise. The low barrier to exploitation and confirmed public disclosure elevate practical risk above the base CVSS rating. Prioritize patching ahead of lower-exploitability medium-severity issues.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible, low-complexity attack with user interaction required but no privilege requirement. Impact is limited to integrity (XSS script execution) with no direct confidentiality loss or service disruption. However, this does not fully capture business risk: in a reservation system context, XSS can cascade to account compromise and fraud. The public exploit and active exploitation push practical risk higher. Organizations should treat this as a high-priority patch candidate despite the medium CVSS label.

Frequently asked questions

Can an attacker steal payment information directly via this XSS?

Not directly through the XSS alone, but if the reservation system stores or transmits payment data in the browser session, a malicious script can exfiltrate cookies, session tokens, or form data. This depends on your application's architecture and PCI practices. Assume sensitive data is at risk and patch urgently.

Does this vulnerability require the attacker to be on the same network?

No. The attack vector is Network (AV:N), meaning the attacker can craft a malicious URL from anywhere and send it to victims via email, chat, or social media. No special network positioning is required.

What is the difference between CWE-79 and CWE-94 listed for this CVE?

CWE-79 is Improper Neutralization of Input During Web Page Generation (classic XSS). CWE-94 is Improper Control of Generation of Code (Code Injection). The application may have related input-handling weaknesses affecting both script injection and code execution contexts; both require remediation.

Will a WAF alone protect us until we patch?

A WAF can significantly reduce risk by blocking known XSS payloads, but determined attackers may bypass filters with encoding or novel payloads. WAF deployment is a strong interim measure but not a substitute for patching. Prioritize vendor updates while maintaining WAF rules as defense-in-depth.

This analysis is based on CVE-2026-10289 and publicly available information as of June 2026. Vendor patch availability and timelines are subject to change; verify all remediation steps against the vendor advisory before implementation. No exploit code or weaponization details are provided herein. Organizations should conduct their own risk assessment and testing in non-production environments. SEC.co does not guarantee completeness or real-time accuracy of threat intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).