CVE-2026-5660 - Vulnerability Details

- itsourcecode Construction Management System Parameter borrowed_equip.php sql injection

Description

A vulnerability was determined in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /borrowed_equip.php of the component Parameter Handler. This manipulation of the argument emp causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-04-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in itsourcecode Construction Management System 1.0 permits an attacker to alter the emp parameter in borrowed_equip.php, resulting in a classic SQL injection. The weakness corresponds to CWE-74 input format validation error and CWE-89 vulnerability to injection, allowing unauthorized SQL commands on the backend database. This could lead to disclosure, modification, or deletion of construction data and compromise the confidentiality and integrity of the system. The effect is limited to database operations but can have cascading impacts on application functionality.

Affected Systems

The affected product is itsourcecode Construction Management System version 1.0, specifically the Parameter Handler component in borrowed_equip.php. No other vendor or product versions are listed in the available data.

Risk and Exploitability

The CVSS base score of 5.3 denotes moderate severity. The EPSS score is not provided and the vulnerability is not included in the CISA KEV catalog, indicating that public exploitation data is limited. The attack can be carried out remotely over HTTP by sending a crafted emp value. Successful exploitation would allow attackers to execute arbitrary SQL statements against the application database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Construction Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Itsourcecode

Construction Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website for an official patch or an upgraded version of Construction Management System; apply it as soon as it becomes available.
If no patch is available, limit exposure by restricting direct web access to borrowed_equip.php via firewall or web application firewall rules.
Implement input validation to detect and reject malformed emp values, and refactor the server code to use parameterized queries instead of concatenating user input.
Ensure that the database account used by the application has only the minimal privileges required for its functions, reducing the damage potential of an injection.
Monitor database logs for anomalous query patterns and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 6, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Learner636/CVE-smbmit/issues/4
https://itsourcecode.com/
https://vuldb.com/submit/786062
https://vuldb.com/vuln/355484
https://vuldb.com/vuln/355484/cti

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode construction Management System
Vendors & Products		Itsourcecode Itsourcecode construction Management System

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /borrowed_equip.php of the component Parameter Handler. This manipulation of the argument emp causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title		itsourcecode Construction Management System Parameter borrowed_equip.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Learner636/CVE-smbmit/issues/4 https://itsourcecode.com/ https://vuldb.com/submit/786062 https://vuldb.com/vuln/355484 https://vuldb.com/vuln/355484/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Construction Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T13:45:10.471Z

Updated: 2026-04-06T18:28:29.673Z

Reserved: 2026-04-06T07:44:32.807Z

Link: CVE-2026-5660

Vulnrichment

Updated: 2026-04-06T18:28:22.161Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T14:16:26.363

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:32:47Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object