Skip to content
Threat Feed
high advisory

CVE-2026-10288 - code-projects Hotel and Tourism Reservation System Authentication Bypass

CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.

A vulnerability, identified as CVE-2026-10288, exists within the code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability resides in the /admin/login.php file, specifically in the Admin Login component’s password_verify function. A remote attacker can manipulate the Password argument during login to bypass authentication. This improper authentication can grant unauthorized access to the administrative panel of the affected system. Given the public availability of an exploit, the risk of exploitation is elevated.

Attack Chain

  1. The attacker identifies an instance of code-projects Hotel and Tourism Reservation System 1.0.
  2. The attacker navigates to the /admin/login.php page.
  3. The attacker crafts a malicious request to /admin/login.php, manipulating the Password argument in a way that bypasses the password_verify function.
  4. The system improperly authenticates the attacker due to the vulnerability in the password_verify function.
  5. The attacker gains unauthorized access to the administrative panel.
  6. The attacker is able to modify hotel and tourism data.
  7. The attacker is able to add malicious scripts to the website.

Impact

Successful exploitation of CVE-2026-10288 allows an attacker to bypass authentication and gain administrative access to the Hotel and Tourism Reservation System. This could lead to unauthorized modification of hotel and tourism data, disruption of services, and potentially further compromise of the system and its users.

Recommendation

  • Apply any available patches or updates provided by code-projects for the Hotel and Tourism Reservation System 1.0 to remediate CVE-2026-10288.
  • Monitor web server logs for suspicious POST requests to /admin/login.php with unusual parameters in the Password field as outlined in the Sigma rule “Detect CVE-2026-10288 Exploitation Attempt via Admin Login”.
  • Implement strong password policies and multi-factor authentication where possible to mitigate the impact of potential authentication bypass vulnerabilities.

Detection coverage 2

Detect CVE-2026-10288 Exploitation Attempt via Admin Login

high

Detects CVE-2026-10288 exploitation attempt - HTTP POST to /admin/login.php with suspicious password manipulation

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-10288 - Admin Login Attempt with Unusual Password Argument

medium

Detects CVE-2026-10288 exploitation attempt - Admin login with password containing unusual characters

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →