CVE-2026-10877: SQL Injection in SourceCodester Ferry Ticket System Admin Login
A SQL injection vulnerability exists in the SourceCodester Ship Ferry Ticket Reservation System version 1.0 and earlier. An attacker can exploit the admin login page by manipulating the Username parameter to execute arbitrary SQL commands remotely. No authentication is required to attempt the attack, and the vulnerability has already been publicly disclosed with functional exploits available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Username leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10877 is a remote SQL injection flaw in the /admin/login.php endpoint of the SourceCodester Ship Ferry Ticket Reservation System. The vulnerability stems from insufficient input validation on the Username parameter, classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection). An unauthenticated network-based attacker can craft malicious input to bypass authentication logic, extract sensitive data from the backend database, or potentially modify database contents depending on the database user's permissions.
Business impact
Compromise of the admin login mechanism exposes the entire ticket reservation system to unauthorized access. An attacker gaining admin credentials could view and modify reservation records, customer payment information, and potentially system configuration. This creates exposure for customer personal data, financial fraud risk, and operational disruption of ferry service bookings. The reputational damage from a public breach of a reservation system would be significant.
Affected systems
SourceCodester Ship Ferry Ticket Reservation System version 1.0 and all earlier versions are confirmed vulnerable. The vulnerability is in the admin login component, meaning any installation of this software is at risk if exposed to the internet or untrusted networks. Organizations using this system should identify all instances in their environment immediately.
Exploitability
Exploitability is high. The attack requires no authentication, no user interaction, and can be executed over the network via HTTP requests to the login endpoint. The CVSS score of 7.3 (HIGH) reflects this low barrier to entry. Public disclosure and availability of working exploits means that threat actors have functional attack code. Automated scanning tools will likely detect vulnerable instances within days.
Remediation
Immediate action is required. Contact SourceCodester for available security updates or patches addressing this vulnerability. If no patch is available or the vendor is unresponsive, consider implementing a Web Application Firewall (WAF) rule to block SQL injection payloads targeting /admin/login.php, or isolating the admin login interface to trusted networks only. A complete audit of database access logs should be performed to determine if the vulnerability has been exploited.
Patch guidance
Check the SourceCodester vendor advisory and website for patched versions beyond 1.0. Apply patches immediately upon availability to all affected instances. Before patching, test in a non-production environment. If no official patch is released in a timely manner, escalate to your vendor contact or consider alternative ticketing software with active security support.
Detection guidance
Monitor web server logs for suspicious SQL syntax in the Username parameter to /admin/login.php, such as single quotes, UNION statements, OR conditions, or comment sequences (-- or /*). Implement network-based detection rules for common SQL injection patterns. Query database audit logs for unexpected admin authentication attempts or unusual query execution. Use Web Application Firewall logs to identify blocked injection attempts. Correlate failed login attempts with source IP addresses to identify scanning activity.
Why prioritize this
This vulnerability merits immediate remediation due to the combination of unauthenticated remote access, direct impact to admin functionality, and public exploit availability. The SQL injection class of vulnerability historically enables full database compromise. The system's role in handling customer reservation and payment data elevates business risk.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects network accessibility (AV:N), low complexity (AC:L), no privilege requirement (PR:N), and no user interaction (UI:N). The impact spans confidentiality, integrity, and availability of the database tier. The score does not account for the public availability of working exploits or the fact that this vulnerability is not yet on the CISA Known Exploited Vulnerabilities list, which would typically warrant higher priority in practice.
Frequently asked questions
Can this vulnerability be exploited without internet access?
No, the vulnerability requires network-level access to the /admin/login.php endpoint. However, if the admin panel is accessible on an internal network or through VPN, an insider or compromised network user could exploit it.
What data is at immediate risk if this vulnerability is exploited?
The primary risk is unauthorized admin access, which could expose the entire database including customer names, contact information, reservation details, and potentially payment card data if stored. The actual exposure depends on what data the system stores and the database user's permissions.
Is there a workaround if we cannot patch immediately?
While no workaround fully eliminates the risk, you can reduce exposure by restricting network access to the /admin/login.php endpoint to a whitelist of trusted IP addresses, disabling remote admin login if not required, and implementing a WAF rule to block SQL injection syntax. These are temporary measures only.
Why is this vulnerability not on the CISA KEV list yet?
The CISA Known Exploited Vulnerabilities catalog is updated regularly but not in real-time. Recent disclosures may take time to be formally catalogued. Even without KEV designation, active exploitation is likely given the public availability of exploits and the ease of attack.
This analysis is based on publicly disclosed vulnerability information current as of the modification date. Organizations should verify patch availability and applicability to their specific deployments directly with SourceCodester. SEC.co makes no warranties regarding the completeness or accuracy of third-party vendor advisories. This explainer is for informational purposes and does not constitute legal or compliance advice. Exploit code and detailed attack vectors are intentionally omitted; refer to official security resources for technical details if needed for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login