{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-10288/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-10288"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hotel and Tourism Reservation System 1.0"],"_cs_severities":["high"],"_cs_tags":["cve-2026-10288","authentication bypass","web application"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-10288, exists within the code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability resides in the \u003ccode\u003e/admin/login.php\u003c/code\u003e file, specifically in the Admin Login component\u0026rsquo;s \u003ccode\u003epassword_verify\u003c/code\u003e function. A remote attacker can manipulate the Password argument during login to bypass authentication. This improper authentication can grant unauthorized access to the administrative panel of the affected system. Given the public availability of an exploit, the risk of exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of code-projects Hotel and Tourism Reservation System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the /admin/login.php page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to /admin/login.php, manipulating the Password argument in a way that bypasses the \u003ccode\u003epassword_verify\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe system improperly authenticates the attacker due to the vulnerability in the \u003ccode\u003epassword_verify\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the administrative panel.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to modify hotel and tourism data.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to add malicious scripts to the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-10288 allows an attacker to bypass authentication and gain administrative access to the Hotel and Tourism Reservation System. This could lead to unauthorized modification of hotel and tourism data, disruption of services, and potentially further compromise of the system and its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by code-projects for the Hotel and Tourism Reservation System 1.0 to remediate CVE-2026-10288.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/admin/login.php\u003c/code\u003e with unusual parameters in the Password field as outlined in the Sigma rule \u0026ldquo;Detect CVE-2026-10288 Exploitation Attempt via Admin Login\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication where possible to mitigate the impact of potential authentication bypass vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T21:16:59Z","date_published":"2026-06-01T21:16:59Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/","summary":"CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.","title":"CVE-2026-10288 - code-projects Hotel and Tourism Reservation System Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-10288","version":"https://jsonfeed.org/version/1.1"}