Description
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.
Published: 2026-04-20
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Unauthorized Data Access
Action: Patch Immediately
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw in the contactno parameter of the forgot-password page. It allows an unauthenticated attacker to manipulate the SQL query used for authentication and obtain sensitive information from the underlying database. The weakness aligns with CWE-89, where user input is directly concatenated into an SQL statement without proper sanitization.

Affected Systems

The affected application is the Apartment Visitors Management System version 1.1. No other vendors or products are explicitly mentioned, so this is the only known vulnerable instance.

Risk and Exploitability

The attack vector is inferred to be a web application interface that accepts the contactno field. Since the flaw permits unauthenticated exploitation and can reveal database contents, the risk is high. The CVSS score is 8.2, and EPSS data is not available, and the vulnerability is not listed in the KEV catalog. The lack of publicly disclosed exploits in the KEV table does not diminish the severity but indicates that it has not yet been widely exploited.

Generated by OpenCVE AI on April 20, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update that addresses the SQL injection in the forgot-password page
  • Sanitize the contactno input and use prepared statements or parameterized queries to eliminate unsanitized SQL concatenation
  • Implement a web application firewall or input validation rule that blocks suspicious characters in the contactno field

Generated by OpenCVE AI on April 20, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated SQL Injection in Forgot Password Page of Apartment Visitors Management System

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-20T18:34:55.729Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39110

cve-icon Vulnrichment

Updated: 2026-04-20T18:33:00.625Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T18:16:27.167

Modified: 2026-04-20T19:16:10.893

Link: CVE-2026-39110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses