A vulnerability described as critical has been identified in code-projects Hotel and Tourism Reservation System 1.0 . The affected element is an unknown function of the file tour.php of the component GET Parameter Handler . Executing a manipulation of the argument tour can lead to sql injection. This vulnerability is tracked as CVE-2026-10290 . The attack can be launched remotely. Moreover, an exploit is present.