Description
A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Hotel and Tourism Reservation System’s /ht/tour.php file. By manipulating the query string parameters, such as "/email", "/people", or "/number", an attacker can inject arbitrary JavaScript code. When a user visits the affected page, the injected script runs in the user’s browser, enabling the attacker to steal session cookies, deface content, or redirect the user to malicious sites. This vulnerability is categorized as CWE‑79 (Improper Neutralization of Input During Web Page Generation). The vulnerability also intersects with CWE‑94 (Improper Control of Code Generation) because the injected code can control script execution flow.

Affected Systems

The affected product is the code‑projects Hotel and Tourism Reservation System, version 1.0. The bug is located in the tour.php component, which accepts user supplied parameters via the URL and reflects them without proper validation or encoding. No other products or versions are listed as affected in the CVE data.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be initiated remotely by sending a specially crafted URL to a victim. A public exploit has already been released, meaning an attacker only needs to send a malicious link to a target user. Given the moderate severity and public availability of the exploit, organizations using this system should treat the vulnerability with urgency but can prioritize remediation after assessing exposure risk.

Generated by OpenCVE AI on June 1, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy any vendor‑issued patch or upgrade to a newer, un‑vulnerable version of the Hotel and Tourism Reservation System.
  • Implement server‑side input validation for all GET parameters used by /ht/tour.php, ensuring that only expected alphanumeric values are accepted and that any reflected data is properly escaped before output.
  • Configure a Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, thereby mitigating the impact of any residual injection.
  • If applicable, use a Web Application Firewall to filter requests containing characters commonly used in XSS payloads.

Generated by OpenCVE AI on June 1, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Hotel and Tourism Reservation System tour.php cross site scripting
First Time appeared Code-projects
Code-projects hotel And Tourism Reservation System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:hotel_and_tourism_reservation_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects hotel And Tourism Reservation System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Hotel And Tourism Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T12:33:57.853Z

Reserved: 2026-05-31T16:41:45.521Z

Link: CVE-2026-10289

cve-icon Vulnrichment

Updated: 2026-06-02T12:33:53.597Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T21:16:25.960

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:52:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')