HIGH 7.3

CVE-2026-10877: SQL Injection in SourceCodester Ferry Ticket System Admin Login

A SQL injection vulnerability exists in the SourceCodester Ship Ferry Ticket Reservation System version 1.0 and earlier. An attacker can exploit the admin login page by manipulating the Username parameter to execute arbitrary SQL commands remotely. No authentication is required to attempt the attack, and the vulnerability has already been publicly disclosed with functional exploits available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Username leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10877 is a remote SQL injection flaw in the /admin/login.php endpoint of the SourceCodester Ship Ferry Ticket Reservation System. The vulnerability stems from insufficient input validation on the Username parameter, classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection). An unauthenticated network-based attacker can craft malicious input to bypass authentication logic, extract sensitive data from the backend database, or potentially modify database contents depending on the database user's permissions.

Business impact

Compromise of the admin login mechanism exposes the entire ticket reservation system to unauthorized access. An attacker gaining admin credentials could view and modify reservation records, customer payment information, and potentially system configuration. This creates exposure for customer personal data, financial fraud risk, and operational disruption of ferry service bookings. The reputational damage from a public breach of a reservation system would be significant.

Affected systems

SourceCodester Ship Ferry Ticket Reservation System version 1.0 and all earlier versions are confirmed vulnerable. The vulnerability is in the admin login component, meaning any installation of this software is at risk if exposed to the internet or untrusted networks. Organizations using this system should identify all instances in their environment immediately.

Exploitability

Exploitability is high. The attack requires no authentication, no user interaction, and can be executed over the network via HTTP requests to the login endpoint. The CVSS score of 7.3 (HIGH) reflects this low barrier to entry. Public disclosure and availability of working exploits means that threat actors have functional attack code. Automated scanning tools will likely detect vulnerable instances within days.

Remediation

Immediate action is required. Contact SourceCodester for available security updates or patches addressing this vulnerability. If no patch is available or the vendor is unresponsive, consider implementing a Web Application Firewall (WAF) rule to block SQL injection payloads targeting /admin/login.php, or isolating the admin login interface to trusted networks only. A complete audit of database access logs should be performed to determine if the vulnerability has been exploited.

Patch guidance

Check the SourceCodester vendor advisory and website for patched versions beyond 1.0. Apply patches immediately upon availability to all affected instances. Before patching, test in a non-production environment. If no official patch is released in a timely manner, escalate to your vendor contact or consider alternative ticketing software with active security support.

Detection guidance

Monitor web server logs for suspicious SQL syntax in the Username parameter to /admin/login.php, such as single quotes, UNION statements, OR conditions, or comment sequences (-- or /*). Implement network-based detection rules for common SQL injection patterns. Query database audit logs for unexpected admin authentication attempts or unusual query execution. Use Web Application Firewall logs to identify blocked injection attempts. Correlate failed login attempts with source IP addresses to identify scanning activity.

Why prioritize this

This vulnerability merits immediate remediation due to the combination of unauthenticated remote access, direct impact to admin functionality, and public exploit availability. The SQL injection class of vulnerability historically enables full database compromise. The system's role in handling customer reservation and payment data elevates business risk.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects network accessibility (AV:N), low complexity (AC:L), no privilege requirement (PR:N), and no user interaction (UI:N). The impact spans confidentiality, integrity, and availability of the database tier. The score does not account for the public availability of working exploits or the fact that this vulnerability is not yet on the CISA Known Exploited Vulnerabilities list, which would typically warrant higher priority in practice.

Frequently asked questions

Can this vulnerability be exploited without internet access?

No, the vulnerability requires network-level access to the /admin/login.php endpoint. However, if the admin panel is accessible on an internal network or through VPN, an insider or compromised network user could exploit it.

What data is at immediate risk if this vulnerability is exploited?

The primary risk is unauthorized admin access, which could expose the entire database including customer names, contact information, reservation details, and potentially payment card data if stored. The actual exposure depends on what data the system stores and the database user's permissions.

Is there a workaround if we cannot patch immediately?

While no workaround fully eliminates the risk, you can reduce exposure by restricting network access to the /admin/login.php endpoint to a whitelist of trusted IP addresses, disabling remote admin login if not required, and implementing a WAF rule to block SQL injection syntax. These are temporary measures only.

Why is this vulnerability not on the CISA KEV list yet?

The CISA Known Exploited Vulnerabilities catalog is updated regularly but not in real-time. Recent disclosures may take time to be formally catalogued. Even without KEV designation, active exploitation is likely given the public availability of exploits and the ease of attack.

This analysis is based on publicly disclosed vulnerability information current as of the modification date. Organizations should verify patch availability and applicability to their specific deployments directly with SourceCodester. SEC.co makes no warranties regarding the completeness or accuracy of third-party vendor advisories. This explainer is for informational purposes and does not constitute legal or compliance advice. Exploit code and detailed attack vectors are intentionally omitted; refer to official security resources for technical details if needed for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).