Description
A security flaw has been discovered in CodeAstro Apartment Visitor Management System 1.0. The impacted element is an unknown function of the file /apartment-visitor/add-apartment.php. The manipulation of the argument apartmentno results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-07-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unknown function within the /apartment-visitor/add-apartment.php script of CodeAstro Apartment Visitor Management System 1.0 accepts the apartmentno parameter without proper validation, leading to an SQL injection flaw. The flaw permits an attacker to inject malicious SQL through the apartmentno field, potentially compromising the integrity and confidentiality of the underlying database. The vulnerability can be triggered remotely by submitting crafted HTTP requests, as documented by the public exploit.

Affected Systems

The affected product is CodeAstro Apartment Visitor Management System version 1.0. No other variants or versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, and the EPSS score is not available. The flaw is not listed in the CISA KEV catalog, but the exploit has already been released to the public, which raises the likelihood of real‑world attacks. Given that the vulnerability can be triggered remotely through web traffic, the attack vector is likely an HTTP request to the vulnerable endpoint. Organisations using the product should assume the risk of intentional exploitation until a vendor fix or mitigating controls are applied.

Generated by OpenCVE AI on July 5, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the /apartment-visitor/add-apartment.php endpoint to authenticated users and enforce least privilege access controls.
  • Implement input validation and sanitization for the apartmentno parameter, using parameterized queries or prepared statements to eliminate SQL injection.
  • Apply any official patch or update released by CodeAstro for the Apartment Visitor Management System once available.
  • Monitor web application logs for unusual SQL injection patterns and respond promptly to any detected incidents.

Generated by OpenCVE AI on July 5, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CodeAstro Apartment Visitor Management System 1.0. The impacted element is an unknown function of the file /apartment-visitor/add-apartment.php. The manipulation of the argument apartmentno results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title CodeAstro Apartment Visitor Management System add-apartment.php sql injection
First Time appeared Codeastro
Codeastro apartment Visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:apartment_visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro apartment Visitor Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Apartment Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-05T01:15:21.240Z

Reserved: 2026-07-04T04:53:08.746Z

Link: CVE-2026-14689

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T07:45:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')