Cve-2026-10288 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-10288/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 01 Jun 2026 21:16:59 +0000CVE-2026-10288 - code-projects Hotel and Tourism Reservation System Authentication Bypasshttps://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/Mon, 01 Jun 2026 21:16:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-cve-2026-10288/CVE-2026-10288 is a high severity vulnerability in code-projects Hotel and Tourism Reservation System 1.0, allowing remote attackers to bypass authentication via manipulation of the Password argument in the /admin/login.php file.A vulnerability, identified as CVE-2026-10288, exists within the code-projects Hotel and Tourism Reservation System version 1.0. The vulnerability resides in the /admin/login.php file, specifically in the Admin Login component’s password_verify function. A remote attacker can manipulate the Password argument during login to bypass authentication. This improper authentication can grant unauthorized access to the administrative panel of the affected system. Given the public availability of an exploit, the risk of exploitation is elevated.

Attack Chain

  1. The attacker identifies an instance of code-projects Hotel and Tourism Reservation System 1.0.
  2. The attacker navigates to the /admin/login.php page.
  3. The attacker crafts a malicious request to /admin/login.php, manipulating the Password argument in a way that bypasses the password_verify function.
  4. The system improperly authenticates the attacker due to the vulnerability in the password_verify function.
  5. The attacker gains unauthorized access to the administrative panel.
  6. The attacker is able to modify hotel and tourism data.
  7. The attacker is able to add malicious scripts to the website.

Impact

Successful exploitation of CVE-2026-10288 allows an attacker to bypass authentication and gain administrative access to the Hotel and Tourism Reservation System. This could lead to unauthorized modification of hotel and tourism data, disruption of services, and potentially further compromise of the system and its users.

Recommendation

  • Apply any available patches or updates provided by code-projects for the Hotel and Tourism Reservation System 1.0 to remediate CVE-2026-10288.
  • Monitor web server logs for suspicious POST requests to /admin/login.php with unusual parameters in the Password field as outlined in the Sigma rule “Detect CVE-2026-10288 Exploitation Attempt via Admin Login”.
  • Implement strong password policies and multi-factor authentication where possible to mitigate the impact of potential authentication bypass vulnerabilities.
]]>highadvisorycve-2026-10288authentication bypassweb application