Description
A vulnerability was determined in CodeAstro Apartment Visitor Management System 1.0. This vulnerability affects unknown code of the file /apartment-visitor/edit-apartment.php. Executing a manipulation of the argument editid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was identified in the edit-apartment.php component of CodeAstro Apartment Visitor Management System. By manipulating the editid parameter, an attacker can inject arbitrary SQL statements, allowing unauthorized reading, modification, or deletion of database records. This remote vulnerability could expose sensitive visitor and apartment data, compromise data integrity, and potentially disrupt system operations.

Affected Systems

The affected product is CodeAstro Apartment Visitor Management System, version 1.0, running on a web server that serves the edit-apartment.php endpoint. The vulnerability originates from unfiltered user input handling in that file.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a relatively low likelihood of widespread exploitation at this time. However, the issue is publicly disclosed and can be leveraged remotely from anywhere with network access to the web interface. The vulnerability is not listed in the CISA KEV catalog, but its potential to compromise data remains significant.

Generated by OpenCVE AI on July 6, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor-published patch that fixes the editid handling in edit-apartment.php.
  • If a patch is not yet available, implement strict input validation—accept only numeric identifiers and reject any non‑numeric or malformed values before they reach the database.
  • Use prepared statements or parameterized queries for all database interactions involving editid.
  • Limit access to the edit-apartment.php page to authenticated and authorized users only, and enforce role‑based access controls.

Generated by OpenCVE AI on July 6, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in CodeAstro Apartment Visitor Management System 1.0. This vulnerability affects unknown code of the file /apartment-visitor/edit-apartment.php. Executing a manipulation of the argument editid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title CodeAstro Apartment Visitor Management System edit-apartment.php sql injection
First Time appeared Codeastro
Codeastro apartment Visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:apartment_visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro apartment Visitor Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Apartment Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T10:46:24.850Z

Reserved: 2026-07-05T18:32:32.130Z

Link: CVE-2026-14797

cve-icon Vulnrichment

Updated: 2026-07-06T10:45:58.772Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')