Platform
php
Component
itsourcecode-construction-management-system
Fixed in
1.0.1
CVE-2026-5660 describes a SQL Injection vulnerability discovered in the itsourcecode Construction Management System. This flaw allows attackers to manipulate database queries through the 'emp' parameter within the /borrowed_equip.php file, potentially leading to unauthorized data access and modification. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending release from the vendor.
Successful exploitation of CVE-2026-5660 could grant an attacker unauthorized access to sensitive data stored within the itsourcecode Construction Management System's database. This includes potentially confidential project information, financial records, user credentials, and other critical data. An attacker could leverage this access to modify data, disrupt operations, or even gain complete control of the system. The remote nature of the vulnerability significantly broadens the attack surface, as it can be exploited from anywhere with network access to the affected system. The public disclosure of this vulnerability increases the risk of immediate exploitation.
CVE-2026-5660 has been publicly disclosed, indicating a higher likelihood of exploitation. The vulnerability's ease of exploitation, coupled with its remote accessibility, makes it a potential target for automated scanning and exploitation tools. The public availability of the vulnerability details increases the risk of malicious actors actively seeking to exploit it. The EPSS score is pending evaluation, but the public disclosure suggests a medium to high probability of exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a provided fixed version, immediate mitigation strategies are crucial. Implement strict input validation on the 'emp' parameter in /borrowedequip.php to sanitize user-supplied data and prevent SQL injection attempts. Consider deploying a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection payloads targeting this parameter. Regularly monitor application logs for suspicious SQL queries or error messages. If possible, temporarily restrict access to the /borrowedequip.php endpoint until a patch is available. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability with controlled test inputs.
Update the itsourcecode Construction Management System to a patched version. Verify the vendor documentation for specific update instructions. As an additional security measure, implement robust input validation and sanitization to prevent future (SQL Injection).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5660 is a SQL Injection vulnerability in itsourcecode Construction Management System versions 1.0.0–1.0, allowing attackers to manipulate database queries via the 'emp' parameter in /borrowed_equip.php.
If you are using itsourcecode Construction Management System version 1.0.0–1.0 and have not applied a patch, you are potentially affected by this SQL Injection vulnerability.
A patch is currently unavailable. Mitigate by implementing strict input validation, deploying a WAF, and monitoring application logs.
The vulnerability has been publicly disclosed, increasing the risk of active exploitation. Monitor your systems closely for suspicious activity.
Check the itsourcecode website and security mailing lists for updates and advisories regarding CVE-2026-5660.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.