CVE-2026-10289
Cross-Site Scripting in Hotel and Tourism Reservation System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in the Hotel and Tourism Reservation System 1.0, specifically in an unknown function within the file /ht/tour.php.
It occurs when certain input arguments such as name, email, people, or number are manipulated, leading to a cross-site scripting (XSS) vulnerability.
This means an attacker can inject malicious scripts remotely through these input fields, potentially affecting users who interact with the system.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to perform cross-site scripting attacks by manipulating input parameters.
Such attacks can lead to the execution of malicious scripts in the context of users' browsers, potentially resulting in session hijacking, defacement, or redirection to malicious sites.
Because the exploit is publicly available, the risk of attacks exploiting this vulnerability is increased.