CVE-2026-10288
Deferred Deferred - Pending Action
Authentication Bypass in Hotel Tourism Reservation System

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10288
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects hotel_and_tourism_reservation_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hotel and Tourism Reservation System 1.0, specifically in the Admin Login component's password_verify function located in /admin/login.php.

The issue arises from manipulation of the Password argument, which leads to improper authentication.

An attacker can exploit this vulnerability remotely, and the exploit is publicly available.

Impact Analysis

This vulnerability allows an attacker to bypass proper authentication mechanisms remotely.

As a result, unauthorized users could gain administrative access to the system.

This could lead to unauthorized control over the reservation system, potentially compromising sensitive data and system integrity.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to bypass authentication and gain full administrative privileges, enabling them to view, modify, or delete sensitive data such as reservations and user information.

Such unauthorized access and potential data manipulation can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to failure to protect user data confidentiality, integrity, and access controls.

Detection Guidance

This vulnerability can be detected by attempting to authenticate to the admin login page with a valid admin email address and an incorrect password. If the system incorrectly grants access and redirects to the admin dashboard, it indicates the presence of the authentication bypass.

A practical detection method involves sending a POST request to /ht/admin/login.php with the admin email and a fake password and observing the response.

  • Use curl to test the login bypass: curl -X POST -d "[email protected]&password=wrongpassword" https://targetsite/ht/admin/login.php -v
  • Check if the response includes a 302 redirect to the admin dashboard, which confirms the vulnerability.
Mitigation Strategies

The immediate mitigation step is to correct the authentication logic in the admin login code.

Specifically, the conditional branches in the password verification process should be swapped so that administrative access is granted only when password_verify() returns true.

Until a patch is applied, restrict access to the admin login page by IP filtering or other access controls to prevent unauthorized remote exploitation.

Monitor logs for suspicious login attempts using valid admin emails with incorrect passwords.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart