CVE-2026-10170 - Vulnerability Details

- code-projects Visitor Management System phone_0.php sql injection

Description

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

Published: 2026-05-31

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the phone_0.php script of the code-projects Visitor Management System, where the phone parameter is improperly validated. Manipulating this argument allows an attacker to inject arbitrary SQL statements, potentially enabling data exfiltration or modification. The description indicates that the attack can be initiated from a remote source and that an exploit has already been published.

Affected Systems

Vendor code-projects, product Visitor Management System, version 1.0. The vulnerability specifically affects the phone_0.php component within the /vms/php directory of this version.

Risk and Exploitability

The CVSS score of 5.3 suggests a medium severity, and the EPSS score is not available, implying limited publicly available exploitation data. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted requests to the phone_0.php endpoint, potentially leading to unauthorized database access or data modification. Given the published exploit, the risk to organizations running the affected version is non-negligible and should be addressed promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Visitor Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Visitor Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a patched version of the Visitor Management System that removes the vulnerable code or updates to the latest secure commit.
Modify the phone parameter handling to use prepared statements or other forms of input sanitization to prevent SQL injection.
Restrict the database account used by the application to the least privilege necessary, limiting the impact of any injection that might succeed.

Generated by OpenCVE AI on May 31, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00201.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Xmyronn/Visitor-Management-System-1.0---SQLi-to-Remote-Code-Execution-Attack-Chain-.git
https://vuldb.com/submit/819186
https://vuldb.com/vuln/367424
https://vuldb.com/vuln/367424/cti

History

Tue, 02 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 31 May 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title		code-projects Visitor Management System phone_0.php sql injection
First Time appeared		Code-projects Code-projects visitor Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:code-projects:visitor_management_system::::::::
Vendors & Products		Code-projects Code-projects visitor Management System
References		https://code-projects.org/ https://github.com/Xmyronn/Visitor-Management-System-1.0---SQLi-to-Remote-Code-Execution-Attack-Chain-.git https://vuldb.com/submit/819186 https://vuldb.com/vuln/367424 https://vuldb.com/vuln/367424/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Visitor Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T05:15:09.039Z

Updated: 2026-06-02T14:39:45.603Z

Reserved: 2026-05-30T09:33:58.767Z

Link: CVE-2026-10170

Vulnrichment

Updated: 2026-06-02T14:39:41.667Z

NVD

Status : Deferred

Published: 2026-05-31T07:16:17.300

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10170

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:55:42Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object