Description
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.
Published: 2026-04-20
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Apply Fix
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw located in the username field of the login page of Apartment Visitors Management System, version 1.1. An attacker who does not need to authenticate can supply specially crafted input that alters the SQL query executed by the backend. This manipulation can lead to extraction of sensitive data from the database, such as user records, contact information, and potentially other confidential details stored by the application. The flaw is based on CWE‑89.

Affected Systems

The affected product is Apartment Visitors Management System version 1.1. No other vendors or versions are listed, so the scope is limited to installations running this specific version of the system.

Risk and Exploitability

The CVSS score of 9.4 indicates a high severity, and the CVE has no publicly disclosed EPSS score and is not listed in the CISA KEV catalog, suggesting that no widespread exploitation has been observed to date. However, because the flaw is unauthenticated and is triggered by a simple HTTP request to the login endpoint, its potential for exploitation is high. Attackers can discover the vulnerability by scanning for the login page and submitting crafted input. If leveraged, the impact is data theft and database compromise, but the CVE does not indicate a direct code execution or denial‑of‑service path.

Generated by OpenCVE AI on April 21, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the application that includes input sanitization and uses parameterized queries for authentication.
  • If an upgrade is not immediately possible, restrict access to the login page or implement a firewall rule to block suspicious input patterns.
  • Review and modify the application code to validate or escape all user-supplied input, ensuring that the username field cannot influence the structure of SQL statements.

Generated by OpenCVE AI on April 21, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated SQL Injection in Apartment Visitors Management System Login Page

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated SQL Injection in Apartment Visitors Management System Login Page
Weaknesses CWE-89

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-20T18:31:04.461Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39109

cve-icon Vulnrichment

Updated: 2026-04-20T18:28:48.302Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T18:16:27.043

Modified: 2026-04-20T19:16:10.733

Link: CVE-2026-39109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses