CVE-2026-10170
SQL Injection in Visitor Management System
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | visitor_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for SQL injection in the Visitor Management System 1.0, specifically targeting the `phone` POST parameter in the `pass.php` file.
A common approach is to send crafted SQL injection payloads to the `phone` parameter and observe if the system returns database errors or dumps data.
For example, using curl to test the injection point:
- curl -X POST -d "phone=' OR '1'='1" http://target/vms/php/pass.php
- curl -X POST -d "phone=' UNION SELECT NULL, NULL-- " http://target/vms/php/pass.php
If the response contains database errors or unexpected data, it indicates the presence of SQL injection.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Fix the SQL injection vulnerability by using prepared statements or parameterized queries for the `phone` parameter in `pass.php`.
- Implement strict file upload validation in the Admin User management panel (`admin_user_0.php`) to restrict file types and extensions.
- Store uploaded files outside the web-accessible directory to prevent direct execution.
- Change all plaintext stored passwords to properly hashed passwords using a strong hashing algorithm.
- Restrict access to the vulnerable endpoints and monitor for suspicious activity.
Can you explain this vulnerability to me?
CVE-2026-10170 is a critical vulnerability in the Visitor Management System 1.0 by code-projects.org. It involves a SQL injection flaw in the phone parameter of the pass.php file, which can be exploited by an attacker with low-privilege access (such as a guard account) to dump the entire database, including plaintext admin credentials.
After obtaining admin credentials, the attacker can log in as an admin and upload a PHP webshell through the Admin User management panel, which lacks file type or extension validation. This webshell is stored in a web-accessible directory and can be executed remotely, granting full remote code execution (RCE) on the server.
Additionally, passwords are stored in plaintext, making it easier for attackers to use stolen credentials without cracking them.
How can this vulnerability impact me? :
This vulnerability can lead to a full server compromise. An attacker can remotely execute arbitrary code on the server, potentially gaining complete control over the system.
The attacker can access sensitive data by dumping the entire database, including plaintext admin credentials, which can lead to unauthorized access and data breaches.
The lack of file upload validation allows the attacker to upload malicious scripts, increasing the risk of persistent backdoors and further exploitation.