The vulnerability is a classic SQL injection flaw located in the email parameter of the forgot password page of the Apartment Visitors Management System V1.1. An attacker can insert malicious SQL code into that field, which the application passes directly to the database without validation or parameterization. This allows the attacker to read or modify sensitive data stored in the backend MySQL database, potentially exposing user credentials, personal information, or other confidential records. The weakness is a direct injection of untrusted input into a SQL statement, identified as a standard SQL Injection vulnerability.

The affected product is Apartment Visitors Management System version 1.1, a PHP/MySQL web application used for managing visitor access to apartment complexes. No vendor is listed, but the codebase is publicly available in GitHub repositories linked in the references. It appears to be a typical small‑scale application deployed on a web server with a MySQL database.

The CVE has a CVSS score of 7.5, indicating elevated severity. SQL injection is universally considered a high‑risk flaw because it permits unauthenticated attackers to extract or manipulate arbitrary data from the database. Attackers can trigger the flaw remotely by sending a crafted request to the forgot‑password.php page, so the vulnerability is exploitable over the network by anyone who can reach the web server. As it is not listed in the CISA KEV catalog, there is no evidence of active exploitation in the wild at the time of this analysis, but the combination of remote reachability and high information‑leak potential warrants immediate remediation.