MEDIUM 6.3

CVE-2026-10876: Authorization Bypass in SourceCodester Ship Ferry Ticket Reservation System 1.0

SourceCodester Ship Ferry Ticket Reservation System version 1.0 contains an authorization bypass vulnerability affecting its admin panel. An authenticated user can manipulate the 'page' parameter in requests to /admin/ to access functions they should not be permitted to use. This vulnerability requires valid login credentials to exploit, but once authenticated, an attacker can view, modify, or delete unauthorized data. The vulnerability has been publicly disclosed with working exploits available, increasing active risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10876 is an improper authorization flaw (CWE-266, CWE-285) in SourceCodester Ship Ferry Ticket Reservation System 1.0. The vulnerability exists in an unidentified admin function accessed via the /admin/ path. Insufficient access control on the 'page' parameter allows authenticated users to bypass intended role or permission boundaries. The attack vector is network-accessible, requires valid credentials (PR:L), involves no user interaction, and operates within a single trust boundary. CVSS v3.1 score is 6.3 (MEDIUM), reflecting confidentiality, integrity, and availability impact.

Business impact

Unauthorized access to admin functions poses direct operational risk: sensitive reservation data, payment information, customer details, and system configurations may be exposed or altered. Integrity compromise is likely—attackers could modify bookings, refunds, or user records. The system's reliability is threatened by potential data corruption or deletion. Organizations running this software face compliance violations (PCI-DSS, GDPR) if customer or payment data is leaked. Reputational damage and customer trust erosion follow disclosure. Since exploits are public, active exploitation risk is elevated.

Affected systems

SourceCodester Ship Ferry Ticket Reservation System version 1.0 is confirmed affected. No other versions, products, or vendors are identified in available advisories. Organizations using this specific version in production should immediately assess exposure. Legacy or unsupported deployments pose higher risk due to delayed patching cycles.

Exploitability

Exploitation requires valid authentication credentials—attackers must either compromise legitimate admin accounts or use weak defaults. The network attack surface is low friction; no special tools or privilege escalation are needed beyond the initial login. Public exploit availability lowers barriers for opportunistic attackers. The lack of user interaction requirement means attacks can be automated at scale. Threat actors targeting the ferry/transportation sector, or conducting post-compromise lateral movement within already-compromised networks, will find this straightforward to weaponize.

Remediation

Update SourceCodester Ship Ferry Ticket Reservation System immediately to a patched version released after June 5, 2026. Verify the patch against the vendor advisory to confirm the authorization bypass is fixed. Pending patch availability, implement network-level access controls restricting /admin/ endpoints to trusted IP ranges and enforce multi-factor authentication for all admin accounts to reduce credential compromise risk. Conduct a forensic audit of admin panel access logs and reservation data modifications since the vulnerability disclosure date to detect prior abuse.

Patch guidance

Contact SourceCodester directly or monitor their official release channels for a patched version. The vendor's security advisories should specify the exact update version number and installation steps. Test patches in a staging environment replicating your deployment before production rollout. Verify post-patch that the 'page' parameter in /admin/ requests enforces proper authorization checks and rejects unauthorized function access. Maintain current backups before applying patches.

Detection guidance

Monitor admin panel access logs (/admin/) for anomalous 'page' parameter values that do not match legitimate workflow patterns. Log and alert on failed authorization attempts and unexpected function calls from low-privilege accounts. Web Application Firewall (WAF) rules should detect manipulation of the 'page' parameter against known benign values. Hunt for POST/GET requests to /admin/ from non-admin source IPs or unusual time-of-day patterns. Review reservation database audit trails for unauthorized modifications coinciding with the vulnerability disclosure window.

Why prioritize this

Although CVSS is MEDIUM (6.3), context elevates urgency: authentication requirement limits scope but does not eliminate risk in shared-credential or post-compromise scenarios. Public exploits and disclosed availability sharply increase active threat likelihood. Ferry/transport reservation systems handle sensitive passenger data and financial transactions—impact scope is material. Deployment in customer-facing environments amplifies exposure. This should be patched within days, not weeks, if the organization runs version 1.0.

Risk score, explained

CVSS 6.3 reflects: (1) Network attack vector—remotely exploitable with no special access; (2) Low complexity—straightforward parameter manipulation; (3) Low privilege requirement—only authenticated users, which lowers but does not eliminate risk; (4) No user interaction needed; (5) Scope unchanged—impact limited to the affected system; (6) Low CIA impact—partial confidentiality, integrity, and availability compromise. The score is appropriate for an auth bypass affecting an internal admin function, but risk materiality increases substantially due to public exploit availability and the criticality of reservation system data.

Frequently asked questions

Do we need valid credentials to exploit this vulnerability?

Yes. CVE-2026-10876 requires authenticated access to the system. An attacker must possess valid admin or user login credentials to make requests to /admin/ and manipulate the 'page' parameter. This means the vulnerability is most dangerous in scenarios involving credential compromise, weak passwords, or shared admin accounts.

Has this vulnerability been actively exploited in the wild?

Public exploits have been disclosed, which indicates active threat awareness. The vulnerability is not yet on the CISA Known Exploited Vulnerabilities (KEV) list, but the availability of working exploit code means opportunistic threat actors can employ it with minimal effort. Monitor for signs of compromise.

What data is at risk if this vulnerability is exploited?

Ferry ticket reservation systems typically store passenger names, contact information, payment card data, booking history, and travel itineraries. A successful authorization bypass could expose or modify any of this information, leading to financial fraud, identity theft, or service disruption. Payment Card Industry Data Security Standard (PCI-DSS) compliance is directly at risk.

Is there a temporary workaround if we cannot patch immediately?

Yes. Restrict network access to the /admin/ path using firewall rules or reverse proxy ACLs, allowing only trusted administrative IP ranges. Enforce multi-factor authentication for all admin accounts to reduce credential compromise risk. Monitor logs closely for suspicious activity. However, these are mitigations—a timely patch is the only complete fix.

This analysis is provided for informational purposes and reflects publicly disclosed information as of June 2026. SEC.co does not guarantee the completeness or accuracy of vulnerability data; organizations should verify patch availability and applicability against official vendor advisories. CVSS scoring is derived from NVD data and should be contextualized within your organization's risk framework. This document does not constitute legal, compliance, or professional security advice. Consult with your security team and legal counsel regarding vulnerability response and regulatory obligations. Exploit code and proof-of-concept details are intentionally omitted from this analysis. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).