CVE-2026-10290

Deferred Deferred - Pending Action

SQL Injection in Hotel and Tourism Reservation System 1.0

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description

A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-01

Last Modified

2026-06-01

Generated

2026-06-22

AI Q&A

2026-06-02

EPSS Evaluated

2026-06-21

NVD

CVE-2026-10290

EUVD

EUVD-2026-33819

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Compliance Impact

This SQL Injection vulnerability allows attackers to extract, modify, or delete sensitive data such as user credentials, emails, phone numbers, and reservation details from the database.

Exposure or unauthorized access to such personal and sensitive information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal data and require organizations to implement adequate security measures to prevent data breaches.

Therefore, exploitation of this vulnerability could result in violations of these standards, potentially leading to legal penalties, loss of trust, and other regulatory consequences.

Executive Summary

This vulnerability exists in the Hotel and Tourism Reservation System 1.0, specifically in the tour.php file's GET Parameter Handler component. It involves a weakness in handling the 'tour' argument, which can be manipulated to perform an SQL injection attack. This means an attacker can remotely inject malicious SQL code through the 'tour' parameter.

Impact Analysis

Exploiting this vulnerability allows an attacker to execute arbitrary SQL commands on the affected system remotely. This can lead to unauthorized access to the database, data leakage, data modification, or deletion, potentially compromising the integrity, confidentiality, and availability of the system's data.

Detection Guidance

This vulnerability can be detected by testing the tour.php file's tour GET parameter for SQL injection flaws. One common approach is to use automated tools like sqlmap to attempt to exploit the parameter and confirm the presence of the vulnerability.

Use sqlmap with a command such as: sqlmap -u "http://targetsite/tour.php?tour=1" --batch --dbs to test if the parameter is vulnerable to SQL injection.
Monitor network traffic for unusual or suspicious SQL query patterns targeting the tour parameter.

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the tour GET parameter in tour.php, to prevent direct inclusion in SQL queries.

Implement prepared statements or parameterized queries to avoid SQL injection.

Restrict database user privileges to limit the impact of a potential SQL injection attack.

If possible, apply patches or updates provided by the software vendor or remove the vulnerable component until a fix is available.

Monitor logs for suspicious activity and consider temporarily blocking access to the vulnerable endpoint.

Hi! I’m here to help you understand CVE-2026-10290. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-10290

SQL Injection in Hotel and Tourism Reservation System 1.0

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart