Description
A vulnerability was identified in CodeAstro Apartment Visitor Management System 1.0. This issue affects some unknown processing of the file /apartment-visitor/visitor-entry.php. The manipulation of the argument visname leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw caused by improper handling of the visname parameter in the visitor-entry.php file. This weakness is defined by CWE-74 and CWE-89, meaning that unvalidated input is concatenated directly into SQL queries. An attacker could manipulate the visname value to inject arbitrary SQL statements, potentially reading, modifying, or deleting visitor database records and compromising the confidentiality and integrity of the system.

Affected Systems

CodeAstro’s Apartment Visitor Management System, specifically version 1.0, is affected. The issue resides in the visitor-entry.php component processed by the application and is not limited to any particular operating environment beyond the web context of the product.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is considered moderate to high risk. The EPSS score is below 1%, indicating a low probability of mass exploitation, yet the fact that an exploit exists and can be triggered remotely via the visname argument suggests that an attacker can initiate an attack from any network accessible to the web application. The vulnerability is not listed in the CISA KEV catalog, but its public availability and potential impact warrant cautious monitoring and remediation.

Generated by OpenCVE AI on July 6, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of CodeAstro Apartment Visitor Management System that addresses the SQL injection flaw
  • If an updated version is unavailable, refactor the visitor-entry.php code to use prepared statements or parameterized queries with proper input validation for the visname field
  • Restrict direct web access to visitor-entry.php to authorized internal users only, or place it behind an authentication layer to limit exposure

Generated by OpenCVE AI on July 6, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in CodeAstro Apartment Visitor Management System 1.0. This issue affects some unknown processing of the file /apartment-visitor/visitor-entry.php. The manipulation of the argument visname leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Title CodeAstro Apartment Visitor Management System visitor-entry.php sql injection
First Time appeared Codeastro
Codeastro apartment Visitor Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:apartment_visitor_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro apartment Visitor Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Apartment Visitor Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T05:00:08.606Z

Reserved: 2026-07-05T18:32:34.724Z

Link: CVE-2026-14798

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')