MEDIUM 6.3

CVE-2026-10170: SQL Injection in code-projects Visitor Management System 1.0

A SQL injection vulnerability exists in code-projects Visitor Management System version 1.0. An authenticated attacker can manipulate the 'phone' parameter in the /vms/php/phone_0.php file to inject malicious SQL commands. This allows the attacker to read, modify, or delete database contents without special privileges. The vulnerability requires valid login credentials to exploit and has a published proof-of-concept.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10170 is a SQL injection flaw (CWE-89) arising from improper neutralization of special elements used in an SQL command (CWE-74). The vulnerability is located in /vms/php/phone_0.php where the 'phone' parameter is processed without adequate input sanitization or parameterized queries. An authenticated user can craft a malicious phone value to execute arbitrary SQL, potentially bypassing authentication, exfiltrating sensitive data, or modifying database records. The CVSS 3.1 score of 6.3 (Medium) reflects the requirement for prior authentication, though the attack vector is network-accessible and requires no user interaction.

Business impact

Organizations deploying Visitor Management System 1.0 face risk of unauthorized data access and modification. If the system stores visitor records, contact information, or access logs, an attacker with valid credentials could extract this sensitive information or tamper with visitation history. The impact extends to compliance violations if personal visitor data is compromised. Since visitor management systems often integrate with building security and access control, data integrity issues could affect physical security auditing and incident response capabilities.

Affected systems

code-projects Visitor Management System version 1.0 is affected. The vulnerability is specific to this version; confirm your deployment version against the vendor's documentation. Other versions or products with similar naming should be independently evaluated for comparable issues.

Exploitability

The vulnerability is exploitable but requires valid system credentials. An insider, disgruntled employee, or attacker who has obtained legitimate credentials can execute the attack remotely over the network without triggering additional user interactions. Public disclosure and available proof-of-concept code increase the likelihood of opportunistic exploitation. The low complexity of SQL injection attacks means technical barriers to exploitation are minimal once authentication is gained.

Remediation

Immediately upgrade to a patched version released by code-projects following this disclosure (verify the specific version against the vendor advisory). If an immediate patch is unavailable, implement temporary compensating controls: restrict access to the Visitor Management System to trusted networks or VPN, enforce strong authentication policies including multi-factor authentication, apply Web Application Firewall rules to detect and block SQL injection patterns in the phone parameter, and review database access logs for suspicious activity.

Patch guidance

Contact code-projects to confirm the availability and version number of a patched release. Apply updates during a maintenance window after testing in a non-production environment. Verify that the patch addresses the phone parameter input handling in /vms/php/phone_0.php. After patching, restart the application service and validate that phone number input functionality remains operational.

Detection guidance

Monitor application logs and database query logs for unusual SQL syntax or error messages originating from the phone parameter. Search for patterns such as single quotes, SQL keywords (SELECT, UNION, DROP), or encoded payloads in phone field submissions. Database activity monitoring tools can alert on unexpected schema queries or data exfiltration attempts. Correlate web server logs for POST/GET requests to /vms/php/phone_0.php with suspicious parameter values. Review user access logs to identify which credentials accessed the vulnerable endpoint and when.

Why prioritize this

Although the CVSS score is Medium (6.3), prioritization depends on your deployment. If Visitor Management System 1.0 is in production, patch within 30 days. The requirement for authentication reduces urgency compared to unauthenticated vulnerabilities, but the published exploit and public disclosure accelerate the timeline. Organizations handling sensitive visitor data or integrated with critical building security should prioritize higher. Those in early-stage deployments or non-critical environments can phase patching accordingly.

Risk score, explained

CVSS 3.1 score of 6.3 reflects: Network-accessible attack vector (AV:N) with low attack complexity (AC:L), but requiring low privilege user credentials (PR:L) and no user interaction (UI:N). The impact is confined to the affected system (S:U) with low confidentiality, integrity, and availability impact (C:L/I:L/A:L). The score would be higher for an unauthenticated variant; the credential requirement and bounded impact keep it in the Medium range. Your organizational risk may differ based on data sensitivity, network exposure, and the criticality of the visitor management function.

Frequently asked questions

Can this vulnerability be exploited without valid credentials?

No. The CVSS vector (PR:L) indicates that low-privilege user credentials are required. However, if your Visitor Management System allows self-registration, guest accounts, or has weak password policies, the barrier to obtaining credentials may be lower than assumed.

What types of data could be stolen through this SQL injection?

The attacker gains the same data access as the database user account running the application. This typically includes all visitor records, contact information, check-in/check-out times, host information, and potentially any other data stored in the same database. The scope depends on the database design and user permissions configured by your organization.

Is upgrading the only mitigation option?

Upgrading is the primary fix, but if a patch is delayed, layered defenses help: restrict network access to the system, enforce multi-factor authentication, use WAF rules to block SQL injection syntax, monitor logs aggressively, and review who has system access. These are temporary measures only and should not delay patch deployment.

How do I know if this vulnerability was exploited in my environment?

Search your web server and database logs for suspicious activity around the /vms/php/phone_0.php endpoint. Look for phone parameters containing SQL keywords, special characters, or encoded payloads. Database query logs may show unexpected SELECT or UNION statements. Work with your database administrator to audit recent schema queries and unusual data exports by authenticated users.

This analysis is based on publicly available information as of the publication date. Vendor advisories and patch availability should be verified directly with code-projects. SEC.co does not provide guarantees regarding patch timelines or technical details beyond public disclosures. Organizations should conduct their own risk assessments based on their specific deployment, data sensitivity, and network environment. Testing patches in non-production environments is mandatory before production deployment. This is informational content and not a substitute for professional security consultation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).