Description
A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection that occurs when the tour parameter in tour.php is not properly sanitized. Attackers can manipulate the argument to inject arbitrary SQL statements, enabling them to read, modify, or delete data from the underlying database. This flaw is classified under CWE‑74 (URL Manipulation) and CWE‑89 (SQL Injection). The impact is remote data compromise, potentially exposing sensitive customer information and altering reservation data. The flaw is confined to the code‑projects Hotel and Tourism Reservation System version 1.0, which includes a vulnerable GET parameter handler that accepts the tour argument without adequate encoding. Risk and Exploitability: The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA KEV, yet the exploit is publicly available on GitHub and VULDB, implying attackers can deploy it without difficulty. Attackers can reach the vulnerable endpoint remotely over HTTP, using a crafted tour parameter even without authentication.

Affected Systems

Affected systems: The vulnerability affects the code‑projects Hotel and Tourism Reservation System version 1.0. The vulnerable component is the tour.php file's GET parameter handler that processes the tour argument without proper validation. The vulnerability has been identified in this specific release and no other versions were mentioned.

Risk and Exploitability

Risk and Exploitability: The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA KEV, yet the exploit is publicly available on GitHub and VULDB, implying attackers can deploy it without difficulty. Attackers can reach the vulnerable endpoint remotely over HTTP, using a crafted tour parameter even without authentication.

Generated by OpenCVE AI on June 1, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched release of the Hotel and Tourism Reservation System or apply a vendor-supplied fix when it becomes available.
  • Restrict external access to the tour.php endpoint and enforce input validation, ensuring that the tour parameter is sanitized or bound as a parameterized query.
  • Apply web application hardening measures such as a firewall rule to detect and block malformed SQL payloads and monitor database logs for suspicious activity.

Generated by OpenCVE AI on June 1, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Hotel and Tourism Reservation System GET Parameter tour.php sql injection
First Time appeared Code-projects
Code-projects hotel And Tourism Reservation System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:hotel_and_tourism_reservation_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects hotel And Tourism Reservation System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Hotel And Tourism Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T12:25:44.748Z

Reserved: 2026-05-31T16:41:48.020Z

Link: CVE-2026-10290

cve-icon Vulnrichment

Updated: 2026-06-02T12:25:17.688Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:23.910

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:30:12Z

Weaknesses