Description
A vulnerability has been found in CodeAstro Apartment Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /apartment-visitor/action-visitor.php. Such manipulation of the argument remark leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a remote SQL injection in CodeAstro Apartment Visitor Management System 1.0. Manipulating the ‘remark’ argument in /apartment an attacker to inject arbitrary SQL commands. This flaw is equivalent to a classic SQL injection (CWE‑89) and may also involve improper handling of special HTML elements within input, as indicated by CWE‑74. An attacker could thus read, modify, or delete sensitive data stored in the Apartment Visitor Management System, version 1.0. The flaw resides specifically in the action-visitor.php module, which processes visitor data and accepts the ‘remark’ field. No other versions or additional components are identified as vulnerable.

Affected Systems

CodeAstro’s Apartment Visitor Management System version 1.0 is affected, specifically the action‑visitor.php module accessed via /apartment-visitor/action‑visitor.php, which processes visitor remarks. The vulnerability has been identified only in this version; no other components or versions are reported to be affected.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is below 1%, implying that the likelihood of exploitation in the wild is low. The vulnerability is not listed in CISA's KEV catalog, and exploit details are publicly available. Because the attack vector is remote, an unauthenticated outsider could target the endpoint, provided they can submit a crafted ‘remark’ parameter. The lack of high exploit probability and absence from KEV reduces urgency but the risk is non‑zero and could lead to data exposure or loss.

Generated by OpenCVE AI on July 6, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if CodeAstro has released a patch or update for Apartment Visitor Management System 1.0 that fixes the SQL injection in action‑visitor.php, and apply it immediately if available.
  • If a patch is not available, restrict access to /apartment-visitor/action‑visitor.php to trusted internal IP addresses, or temporarily disable the endpoint until a fix is applied.
  • Harden the application by sanitizing all user inputs, in particular the ‘remark’ parameter, and refactoring the database access to use prepared statements or stored procedures so that no user‑supplied data is concatenated into SQL queries.

Generated by OpenCVE AI on July 6, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in CodeAstro Apartment Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /apartment-visitor/action-visitor.php. Such manipulation of the argument remark leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title CodeAstro Apartment Visitor Management System action-visitor.php sql injection
First Time appeared Codeastro
Codeastro apartment Visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:apartment_visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro apartment Visitor Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Apartment Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T12:58:35.898Z

Reserved: 2026-07-05T18:32:27.304Z

Link: CVE-2026-14795

cve-icon Vulnrichment

Updated: 2026-07-06T12:58:31.893Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T21:15:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')