CVE-2026-10290: SQL Injection in Hotel Tourism Reservation System 1.0
A SQL injection vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically in the tour.php file's GET parameter handler. An attacker can manipulate the 'tour' parameter to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. Because the vulnerability is remotely exploitable without authentication, and public exploits are available, organizations running this software face immediate risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10290 is a SQL injection flaw (CWE-89) arising from improper neutralization of special elements in the tour parameter (CWE-74). The tour.php component fails to sanitize or parameterize user-supplied input before incorporating it into SQL queries. The attack vector is network-based with low attack complexity, requires no privileges or user interaction, and impacts the entire system scope. The CVSS v3.1 score of 7.3 (HIGH) reflects low confidentiality, integrity, and availability impact rather than complete compromise, but the availability of public exploits significantly elevates practical risk.
Business impact
Exploitation could enable attackers to exfiltrate customer data (reservations, contact information, payment details), modify or delete booking records, or disrupt reservation operations. Hotels and tourism platforms relying on this system may face service downtime, regulatory notification obligations under data protection laws, reputational damage, and potential financial liability. The public availability of exploits means attackers of varying sophistication may target vulnerable instances.
Affected systems
Code-Projects Hotel and Tourism Reservation System version 1.0 is confirmed vulnerable. Organizations should audit their environment to identify any instances of this software currently in production or development. No patch version data is provided in the source record; verify against the vendor's official security advisory for remediation availability and scope.
Exploitability
This vulnerability is highly exploitable in practical terms. Network accessibility eliminates physical barriers; no authentication is required; attack complexity is low, meaning a basic SQL injection payload will likely succeed; and public exploit code removes the technical barrier for opportunistic attackers. While the CVSS base score of 7.3 does not denote critical severity, the combination of remote exploitability, public tooling, and lack of KEV status (indicating no known active exploitation campaign tracked by CISA at publication) should not breed complacency—organizations must assume exploitation attempts are imminent or ongoing.
Remediation
Immediate action is required. First, consult the vendor's official security advisory to determine if a patched version is available and the recommended upgrade path. If no patch exists or upgrading is not feasible, implement network-level controls: restrict access to the affected application via firewall rules, WAF rules to block malicious tour parameter patterns, and database access controls. Conduct a forensic review of database logs and application logs to detect any prior exploitation. Implement input validation and parameterized queries if source code access and internal development resources are available.
Patch guidance
Check the vendor's official website and security advisories for patch availability and version numbers. Apply patches to the Hotel and Tourism Reservation System as soon as they are released and tested in a non-production environment. If the vendor does not provide a patch, escalate to product evaluation and consider migration to alternative, well-maintained reservation software. Document all patch deployment with timestamps and affected systems to demonstrate due diligence.
Detection guidance
Monitor web server and application logs for HTTP requests to tour.php containing suspicious characters in the tour parameter (SQL keywords, quotation marks, operators such as UNION, OR, or --). Deploy a WAF with rules to detect common SQL injection signatures. Database audit logs should be reviewed for unexpected queries, particularly those accessing sensitive tables or executing administrative commands. Network detection systems should flag repeated requests to tour.php from the same source, indicating scanning or exploitation attempts.
Why prioritize this
Although not yet listed in CISA's Known Exploited Vulnerabilities catalog, the public availability of exploits and the ease of exploitation (no authentication required, low complexity) make this a priority for immediate patch or mitigation. The high CVSS score and the sensitive nature of reservation data (personal information, payment details) justify urgent remediation. Organizations should treat this as critical-priority within their vulnerability management workflow, regardless of official KEV status.
Risk score, explained
The CVSS v3.1 score of 7.3 reflects the metric vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The highest-impact components are network accessibility and lack of privilege/user interaction requirements, which enable remote attack at scale. The 'low' confidentiality, integrity, and availability impacts suggest partial rather than total compromise—likely reflecting that exploitation grants database read/modification access but not necessarily full system takeover. However, for a reservation system, partial database compromise can still expose hundreds of customer records and disrupt operations, warranting aggressive remediation timelines.
Frequently asked questions
What data is at immediate risk if this vulnerability is exploited?
Customer reservation records, personal identifiable information (names, contact details), booking history, and potentially payment information stored in the database are at risk. Attackers can read, modify, or delete records using SQL injection.
Why isn't this vulnerability on CISA's Known Exploited Vulnerabilities list yet?
KEV status reflects confirmed active exploitation in the wild that CISA has validated and tracked. This vulnerability's absence from KEV does not indicate low risk; it means active widespread exploitation has not yet been formally documented by CISA. Public exploit availability and the vulnerability's ease of exploitation mean defenders should assume it will be exploited.
Can this vulnerability be exploited through the Internet, or only from internal networks?
It is remotely exploitable over the network (AV:N in CVSS). Any system with network access to the affected tour.php endpoint can attempt exploitation, including from the Internet if the application is Internet-facing.
What should I do if I cannot upgrade immediately?
Implement compensating controls: restrict network access to the application via firewall rules, deploy a Web Application Firewall (WAF) with SQL injection detection, enforce strong database access controls, and monitor logs for signs of exploitation. These measures reduce risk but do not eliminate it; patching should remain the highest priority.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not verify vendor patch version numbers or availability independently; organizations must consult official vendor advisories to confirm remediation steps and patch eligibility. Exploitation attempts may vary in sophistication and scope; organization-specific risk depends on deployment context, network exposure, and the sensitivity of data stored. This document does not constitute professional security advice tailored to your environment; consult with qualified security professionals for incident response and remediation planning specific to your systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login