CVE-2026-5675 - Vulnerability Details

- itsourcecode Construction Management System Parameter borrowed_tool.php sql injection

Description

A vulnerability was found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /borrowed_tool.php of the component Parameter Handler. The manipulation of the argument emp results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

Published: 2026-04-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Construction Management System that permits an attacker to inject arbitrary SQL through the 'emp' parameter in borrowed_tool.php, a component of the Parameter Handler. The weakness stems from insufficient input validation (CWE‑74) and improper handling of SQL statements (CWE‑89). By exploiting this flaw, an attacker can read, alter, or delete database records, thereby compromising the confidentiality, integrity, and availability of project data. The vulnerability can be triggered remotely via an HTTP request to borrowed_tool.php, making it accessible from outside the organization.

Affected Systems

The affected product is itsourcecode Construction Management System version 1.0. No other versions are explicitly listed, so the impact is limited to that release. The vulnerable component is the Parameter Handler in borrowed_tool.php.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score is not available, so the current exploitation prevalence is unknown, and the vulnerability is not listed in CISA's KEV catalog. However, the exploit has been made public and can be launched remotely, increasing the likelihood of real‑world attacks. Successful exploitation could allow attackers to gain unauthorized database access, leading to data theft, modification, or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Construction Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Itsourcecode

Construction Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check itsourcecode for a security patch or update for Construction Management System 1.0
If no patch is available, implement input validation or switch to parameterized queries for the 'emp' parameter in borrowed_tool.php
Restrict remote access to the borrowed_tool.php endpoint to trusted users or IP addresses
Monitor database logs for anomalous or unexpected queries

Generated by OpenCVE AI on April 7, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/1234234215235/report/issues/1
https://itsourcecode.com/
https://vuldb.com/submit/792392
https://vuldb.com/vuln/355501
https://vuldb.com/vuln/355501/cti

History

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode construction Management System
Vendors & Products		Itsourcecode Itsourcecode construction Management System

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /borrowed_tool.php of the component Parameter Handler. The manipulation of the argument emp results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Title		itsourcecode Construction Management System Parameter borrowed_tool.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/1234234215235/report/issues/1 https://itsourcecode.com/ https://vuldb.com/submit/792392 https://vuldb.com/vuln/355501 https://vuldb.com/vuln/355501/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Itsourcecode Construction Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T18:00:16.247Z

Updated: 2026-04-06T18:47:16.439Z

Reserved: 2026-04-06T09:34:17.324Z

Link: CVE-2026-5675

Vulnrichment

Updated: 2026-04-06T18:47:10.843Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T18:16:46.410

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-5675

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T09:37:52Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object