Description
A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in the phone_0.php script of the code-projects Visitor Management System, where the phone parameter is improperly validated. Manipulating this argument allows an attacker to inject arbitrary SQL statements, potentially enabling data exfiltration or modification. The description indicates that the attack can be initiated from a remote source and that an exploit has already been published.

Affected Systems

Vendor code-projects, product Visitor Management System, version 1.0. The vulnerability specifically affects the phone_0.php component within the /vms/php directory of this version.

Risk and Exploitability

The CVSS score of 5.3 suggests a medium severity, and the EPSS score is not available, implying limited publicly available exploitation data. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted requests to the phone_0.php endpoint, potentially leading to unauthorized database access or data modification. Given the published exploit, the risk to organizations running the affected version is non-negligible and should be addressed promptly.

Generated by OpenCVE AI on May 31, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patched version of the Visitor Management System that removes the vulnerable code or updates to the latest secure commit.
  • Modify the phone parameter handling to use prepared statements or other forms of input sanitization to prevent SQL injection.
  • Restrict the database account used by the application to the least privilege necessary, limiting the impact of any injection that might succeed.

Generated by OpenCVE AI on May 31, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title code-projects Visitor Management System phone_0.php sql injection
First Time appeared Code-projects
Code-projects visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects visitor Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T05:15:09.039Z

Reserved: 2026-05-30T09:33:58.767Z

Link: CVE-2026-10170

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T07:16:17.300

Modified: 2026-05-31T07:16:17.300

Link: CVE-2026-10170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T08:00:11Z

Weaknesses