Description
A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the Construction Management System's employees.php file. An attacker can alter the Name argument to execute arbitrary SQL commands. This attack is possible remotely and can lead to unauthorized data disclosure or manipulation of the database.

Affected Systems

itsourcecode Construction Management System version 1.0 is affected. No other versions or products are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The vulnerability is publicly disclosed, but no EPSS data is available. It is not present in the KEV catalog. Because the attack vector is remote and the exploit is known, a system that has not applied a fix is at risk of compromise if an attacker can reach the affected script.

Generated by OpenCVE AI on April 13, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch or upgrade to a newer version of itsourcecode Construction Management System.
  • If a patch is unavailable, restrict access to employees.php to authorized users only.
  • Configure input validation or a web application firewall to block malformed or unexpected Name parameters.
  • Monitor web server logs for suspicious SQL query patterns.
  • Contact the vendor for further guidance or an official fix.

Generated by OpenCVE AI on April 13, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode construction Management System
Vendors & Products Itsourcecode
Itsourcecode construction Management System

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Title itsourcecode Construction Management System employees.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Construction Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T16:53:41.142Z

Reserved: 2026-04-13T08:38:24.425Z

Link: CVE-2026-6190

cve-icon Vulnrichment

Updated: 2026-04-13T16:52:28.169Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T17:16:31.903

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:58Z

Weaknesses