Medium severity4.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10289

Description

Stored XSS in Hotel and Tourism Reservation System 1.0 allows unauthenticated attackers to inject scripts via booking fields, executed by administrators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Hotel and Tourism Reservation System 1.0 allows unauthenticated attackers to inject scripts via booking fields, executed by administrators.

Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically within the tour booking functionality located in /ht/tour.php [2]. The vulnerability lies in the handling of parameters such as name, email, people, and number [2]. These fields are susceptible to the injection of arbitrary JavaScript payloads without proper sanitization, which are then stored in the tour reservations table of the hotel_db database [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by navigating to the tour booking page (/ht/tour.php) and injecting a malicious JavaScript payload into one of the input fields, such as the name field [2]. After submitting the booking form, the payload is stored. The vulnerability is triggered when an administrator accesses the tour reservations management page (/ht/admin/tour_reserves.php), causing the stored script to execute within the administrator's browser context [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's session. This can lead to various malicious actions, including session hijacking, theft of administrator credentials, or complete takeover of the administrator's account, thereby compromising the entire system [2].

Mitigation

No specific patched version or release date has been disclosed in the available references. It is recommended to monitor vendor advisories for updates. As of the available information, no workarounds have been published, and the system is not listed as end-of-life or on the KEV list [1, 2].

References

GitHub - Xmyronn/CVE-2026-10289-XSS

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Xmyronn/Hotel And Tourism Reservation System Stored XSSreferences
Code Projects/Hotel and Tourism Reservation Systemllm-create
Range: = 1.0
Xmyronn/CVE-2026-10289-XSSllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The booking form at tour.php stores user input directly in the database without sanitization, and the admin panel at tour_reserves.php echoes stored values without output encoding."

Attack vector

An unauthenticated attacker can inject arbitrary JavaScript into the booking form fields at /ht/tour.php by manipulating the name, email, people, or number parameters. The malicious payload is stored in the database without sanitization. When an administrator visits the tour reservations management page at /ht/admin/tour_reserves.php, the stored payload executes in the admin's browser context, enabling actions like session hijacking or credential theft [ref_id=1].

Affected code

The vulnerability exists in the tour booking functionality. The injection point is the file `tour.php`, where user input for fields such as name, email, people, and number is accepted via POST. The stored payload is then executed when the administrator accesses `admin/tour_reserves.php`, as the stored values are echoed raw into the HTML response [ref_id=1].

What the fix does

The advisory recommends encoding user input before rendering it to prevent Cross-Site Scripting (XSS) vulnerabilities. Specifically, it suggests using `htmlspecialchars` on the reservation name when displaying it in the admin panel to neutralize any injected script tags [ref_id=1]. This prevents the stored payload from executing in the administrator's browser.

Preconditions

authNo authentication is required for injection. Authentication is required to trigger the payload execution.
networkThe attack can be initiated remotely.

Reproduction

Step 1 — Navigate to the tour booking page as an unauthenticated user: http://<target>/ht/tour.php?tour=4 Step 2 — Enter an XSS payload (e.g., `<script>alert(1)</script>`) in the name field or any other vulnerable field, then click 'Book Now'. Step 3 — Log in as an administrator and navigate to the tour reservations panel: http://<target>/ht/admin/tour_reserves.php. The stored XSS payload will execute [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected

Source repo: github.com/Xmyronn/Hotel-and-Tourism-Reservation-System---Stored-XSS.git

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-10289