Description
A vulnerability was found in CodeAstro Apartment Visitor Management System 1.0. Affected is an unknown function of the file /index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Published: 2026-07-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Login component of CodeAstro Apartment Visitor Management System 1.0, where manipulating the Username argument in the /index.php file allows an attacker to inject arbitrary SQL. The flaw is a classic input validation weakness (CWE‑74) and can result in unauthorized data access or modification. Because the injection occurs in the authentication endpoint, the attacker can bypass authentication or extract sensitive information, compromising confidentiality and integrity of the visitor database.

Affected Systems

CodeAstro Apartment Visitor Management System, version 1.0. No other versions are listed as affected. The vulnerability resides in the web application’s index.php login page.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, but a public exploit has been documented, showing that attackers can remotely trigger the injection from any network with access to the web interface. The vulnerability is not listed in the CISA KEV catalog. Remote attackers can exploit this flaw by sending crafted Username values to the login endpoint; no special privileges or local access are required.

Generated by OpenCVE AI on July 5, 2026 at 07:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure that future code updates use parameterized queries or stored procedures to eliminate direct SQL string concatenation.
  • Implement input sanitization or whitelist validation on the Username field before database interaction.
  • Restrict access to the login endpoint with firewall rules or rate limiting to reduce exposure, and monitor authentication logs for anomalous activity.

Generated by OpenCVE AI on July 5, 2026 at 07:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in CodeAstro Apartment Visitor Management System 1.0. Affected is an unknown function of the file /index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Title CodeAstro Apartment Visitor Management System Login index.php sql injection
First Time appeared Codeastro
Codeastro apartment Visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:apartment_visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro apartment Visitor Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Apartment Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T18:15:08.221Z

Reserved: 2026-07-03T17:29:12.063Z

Link: CVE-2026-14640

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')