{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hotel-and-tourism-reservation-system-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-10290"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hotel and Tourism Reservation System 1.0"],"_cs_severities":["high"],"_cs_tags":["cve","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-10290, affects code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability lies within the GET Parameter Handler in the tour.php file. By manipulating the \u0026rsquo;tour\u0026rsquo; argument, a remote attacker can inject arbitrary SQL commands into the application\u0026rsquo;s database queries. This vulnerability is considered high severity due to the potential for unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing the risk of exploitation. Defenders should prioritize patching or mitigating this vulnerability to prevent potential attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of code-projects Hotel and Tourism Reservation System 1.0 accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the tour.php file.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a modified \u0026rsquo;tour\u0026rsquo; parameter containing SQL injection payloads designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u0026rsquo;tour\u0026rsquo; parameter before incorporating it into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, booking information, or financial details.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database, potentially disrupting the application\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the SQL injection to gain further access to the underlying server, depending on the database configuration and application privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-10290 can lead to unauthorized access to sensitive data stored in the Hotel and Tourism Reservation System\u0026rsquo;s database. This could include customer information, booking details, financial records, and administrator credentials. An attacker could potentially modify or delete data, leading to disruption of services, financial loss, and reputational damage. Given that publicly available exploits exist, vulnerable systems are at increased risk of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from code-projects to address CVE-2026-10290 in Hotel and Tourism Reservation System 1.0.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks, specifically targeting the \u0026rsquo;tour\u0026rsquo; parameter in tour.php.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against the tour.php file.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing SQL injection payloads in the \u0026rsquo;tour\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eRestrict database user privileges to the minimum required for the application to function properly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T22:19:02Z","date_published":"2026-06-01T22:19:02Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10290-sql-injection/","summary":"A SQL injection vulnerability exists in code-projects Hotel and Tourism Reservation System version 1.0 due to improper sanitization of the 'tour' GET parameter in the tour.php file, potentially allowing remote attackers to execute arbitrary SQL queries.","title":"CVE-2026-10290: Hotel and Tourism Reservation System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10290-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-10288"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hotel and Tourism Reservation System 1.0"],"_cs_severities":["high"],"_cs_tags":["cve-2026-10288","authentication bypass","web application"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-10288, exists within the code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability resides in the \u003ccode\u003e/admin/login.php\u003c/code\u003e file, specifically in the Admin Login component\u0026rsquo;s \u003ccode\u003epassword_verify\u003c/code\u003e function. A remote attacker can manipulate the Password argument during login to bypass authentication. This improper authentication can grant unauthorized access to the administrative panel of the affected system. Given the public availability of an exploit, the risk of exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of code-projects Hotel and Tourism Reservation System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the /admin/login.php page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to /admin/login.php, manipulating the Password argument in a way that bypasses the \u003ccode\u003epassword_verify\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe system improperly authenticates the attacker due to the vulnerability in the \u003ccode\u003epassword_verify\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the administrative panel.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to modify hotel and tourism data.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to add malicious scripts to the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-10288 allows an attacker to bypass authentication and gain administrative access to the Hotel and Tourism Reservation System. This could lead to unauthorized modification of hotel and tourism data, disruption of services, and potentially further compromise of the system and its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by code-projects for the Hotel and Tourism Reservation System 1.0 to remediate CVE-2026-10288.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/admin/login.php\u003c/code\u003e with unusual parameters in the Password field as outlined in the Sigma rule \u0026ldquo;Detect CVE-2026-10288 Exploitation Attempt via Admin Login\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication where possible to mitigate the impact of potential authentication bypass vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T21:16:59Z","date_published":"2026-06-01T21:16:59Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/","summary":"CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.","title":"CVE-2026-10288 - code-projects Hotel and Tourism Reservation System Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/"}],"language":"en","title":"CraftedSignal Threat Feed — Hotel and Tourism Reservation System 1.0","version":"https://jsonfeed.org/version/1.1"}