CVE-2026-10290

HIGH

Hotel and Tourism Reservation System 1.0 - SQL Injection via tour.php GET Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-10290. PoCs published by Xmyronn.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-10290, an unauthenticated SQL injection vulnerability in the Hotel and Tourism Reservation System 1.0. It includes vulnerable code snippets, steps to reproduce, and impact analysis, demonstrating a clear understanding of the vulnerability.

Description

A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Exploits (1)

github WRITEUP

by Xmyronn · poc

https://github.com/Xmyronn/CVE-2026-10290-SQLI

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-10290, an unauthenticated SQL injection vulnerability in the Hotel and Tourism Reservation System 1.0. It includes vulnerable code snippets, steps to reproduce, and impact analysis, demonstrating a clear understanding of the vulnerability.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Hotel and Tourism Reservation System 1.0

No auth needed

Prerequisites: Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (6)

Core 6

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/vuln/367583

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/vuln/367583/cti

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/cve/CVE-2026-10290

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/submit/825939

Various Sources exploit

https://github.com/Xmyronn/Hotel-and-Tourism-Reservation-System---Unauthenticated-SQL-Injection.git

Various Sources product

https://code-projects.org/

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 14.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

code-projects/Hotel and Tourism Reservation System 1.0

Published Jun 01, 2026

Tracked Since Jun 02, 2026