CVE-2026-39111
Published: 20 April 2026
Summary
CVE-2026-39111 is a high-severity SQL Injection (CWE-89) vulnerability in Phpgurukul (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39111 is a SQL injection vulnerability (CWE-89) in the Apartment Visitors Management System version 1.1. The issue affects the email parameter in the forgot-password.php page, enabling manipulation of backend SQL queries. Published on 2026-04-20, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no integrity or availability disruption.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. By injecting malicious payloads into the email parameter, the attacker can extract sensitive user data from the database.
Mitigation guidance and additional details are available in advisories referenced at https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/, https://phpgurukul.com/?sdm_process_download=1&download_id=21524, and https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23920
Vulnerability details
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries and retrieve sensitive user data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the network-accessible web application (forgot-password.php) allows unauthenticated remote attackers to manipulate queries and extract database data, directly enabling the Exploit Public-Facing Application technique (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the email parameter to block malicious SQL injection payloads from manipulating backend queries.
Mandates identification, reporting, and correction of the specific SQL injection flaw in forgot-password.php.
Scans for vulnerabilities like this SQL injection and prioritizes remediation to prevent exploitation.