CVE-2026-10290: Hotel and Tourism Reservation System SQL Injection Vulnerability

A SQL injection vulnerability, identified as CVE-2026-10290, affects code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability lies within the GET Parameter Handler in the tour.php file. By manipulating the ’tour’ argument, a remote attacker can inject arbitrary SQL commands into the application’s database queries. This vulnerability is considered high severity due to the potential for unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing the risk of exploitation. Defenders should prioritize patching or mitigating this vulnerability to prevent potential attacks.

Attack Chain

1. An attacker identifies a vulnerable instance of code-projects Hotel and Tourism Reservation System 1.0 accessible over the internet.
2. The attacker crafts a malicious HTTP GET request targeting the tour.php file.
3. The crafted request includes a modified ’tour’ parameter containing SQL injection payloads designed to exploit the vulnerability.
4. The application fails to properly sanitize the ’tour’ parameter before incorporating it into an SQL query.
5. The malicious SQL query is executed against the application’s database.
6. The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, booking information, or financial details.
7. The attacker may modify or delete data within the database, potentially disrupting the application’s functionality.
8. The attacker could potentially use the SQL injection to gain further access to the underlying server, depending on the database configuration and application privileges.

Impact

Successful exploitation of CVE-2026-10290 can lead to unauthorized access to sensitive data stored in the Hotel and Tourism Reservation System’s database. This could include customer information, booking details, financial records, and administrator credentials. An attacker could potentially modify or delete data, leading to disruption of services, financial loss, and reputational damage. Given that publicly available exploits exist, vulnerable systems are at increased risk of attack.

Recommendation

• Apply available patches or updates from code-projects to address CVE-2026-10290 in Hotel and Tourism Reservation System 1.0.
• Implement input validation and sanitization measures to prevent SQL injection attacks, specifically targeting the ’tour’ parameter in tour.php.
• Deploy the Sigma rule provided below to detect potential exploitation attempts against the tour.php file.
• Monitor web server logs for suspicious GET requests containing SQL injection payloads in the ’tour’ parameter.
• Restrict database user privileges to the minimum required for the application to function properly.