Platform
php
Component
itsourcecode-construction-management-system
Fixed in
1.0.1
CVE-2026-5675 describes a SQL Injection vulnerability discovered in itsourcecode Construction Management System, specifically impacting versions 1.0.0 through 1.0. This flaw resides within the parameter handler of the /borrowed_tool.php file, allowing attackers to manipulate the 'emp' argument to inject malicious SQL code. The vulnerability is exploitable remotely and poses a risk of unauthorized data access and modification.
Successful exploitation of CVE-2026-5675 allows an attacker to inject arbitrary SQL queries into the itsourcecode Construction Management System database. This could lead to a wide range of malicious activities, including unauthorized data retrieval (sensitive user information, financial records, project details), data modification (altering project timelines, changing user permissions), and even data deletion. Depending on the database user's privileges, an attacker might be able to gain control over the entire system. The public availability of an exploit significantly increases the risk of widespread exploitation.
CVE-2026-5675 has been publicly disclosed and an exploit is available, indicating a high probability of exploitation. It was published on 2026-04-06. The vulnerability's ease of exploitation and public availability make it a priority for remediation. Monitor security advisories from itsourcecode for updates and patches.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5675 is to upgrade to a patched version of itsourcecode Construction Management System as soon as it becomes available. In the absence of a patch, implement temporary mitigations such as deploying a Web Application Firewall (WAF) with rules to filter potentially malicious SQL injection attempts targeting the /borrowed_tool.php endpoint. Strict input validation on the 'emp' parameter is also crucial, ensuring that only expected data types and formats are accepted. Regularly review database access logs for suspicious activity.
Update the itsourcecode Construction Management System to a patched version. Review and sanitize user input in the borrowed_tool.php file to prevent (SQL Injection). Implement appropriate validation and escaping for user-provided data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5675 is a SQL Injection vulnerability affecting itsourcecode Construction Management System versions 1.0.0–1.0, allowing attackers to inject malicious SQL code through the 'emp' parameter in /borrowed_tool.php.
If you are running itsourcecode Construction Management System version 1.0.0–1.0 and have not applied a patch, you are potentially vulnerable to this SQL Injection attack.
The recommended fix is to upgrade to a patched version of itsourcecode Construction Management System. Until a patch is available, implement WAF rules and input validation as temporary mitigations.
Yes, an exploit for CVE-2026-5675 is publicly available, indicating a high likelihood of active exploitation.
Please refer to the itsourcecode website or security advisories for the official advisory regarding CVE-2026-5675.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.