CVE-2026-39110
Published: 20 April 2026
Summary
CVE-2026-39110 is a high-severity SQL Injection (CWE-89) vulnerability in Phpgurukul (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-39110 is a SQL injection vulnerability (CWE-89) in the Apartment Visitors Management System version 1.1. The issue affects the contactno parameter on the forgot-password.php page, enabling manipulation of backend SQL queries during the authentication process. Published on 2026-04-20, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact with low integrity impact and no availability impact.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By injecting malicious payloads into the contactno parameter, the attacker can alter SQL queries on the forgot password page, allowing extraction of sensitive database contents.
Mitigation details and related advisories are documented in the provided references, including the GitHub repository at https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/ detailing CVEs for the system, as well as download and project pages at https://phpgurukul.com/?sdm_process_download=1&download_id=21524 and https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23919
Vulnerability details
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing web application (forgot-password.php) directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote exploitation and facilitates T1213.006 (Data from Information Repositories: Databases) by allowing extraction of sensitive database contents.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of user inputs like the contactno parameter to prevent SQL injection manipulation of backend queries.
Requires organizations to identify, report, and correct flaws such as this SQL injection vulnerability in the forgot-password.php page.
Enables scanning for vulnerabilities like CVE-2026-39110 in the Apartment Visitors Management System to support timely detection and remediation.