Cyber Posture

CVE-2026-39109

Critical

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0020 42.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by requiring validation of untrusted inputs like the username parameter on the login page to block query manipulation.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific SQL injection flaw in Apartment Visitors Management System V1.1's index.php login functionality.

SI-9 Information Input Restrictions partial match
prevent

Restricts types and quantities of username inputs to limit SQL injection payloads during unauthenticated login attempts.

Security SummaryAI

CVE-2026-39109, published on 2026-04-20, is a SQL injection vulnerability (CWE-89) in the Apartment Visitors Management System version 1.1. The issue affects the username parameter on the login page (index.php), enabling manipulation of backend SQL queries.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity, no privileges, and no user interaction required. Exploitation allows retrieval of sensitive database contents during authentication attempts, yielding a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) with high impacts on confidentiality and integrity, and low impact on availability.

Advisories and further details are available in the referenced sources, including a GitHub repository documenting CVEs for the system at https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/, the project download page at https://phpgurukul.com/?sdm_process_download=1&download_id=21524, and the main project page at https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web login page enables T1190 (exploit public-facing application); facilitates arbitrary database queries for T1213.006 (data from databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References