CVE-2026-10170 Overview
CVE-2026-10170 is a SQL injection vulnerability in code-projects Visitor Management System 1.0. The flaw resides in the /vms/php/phone_0.php file, where the phone parameter is not properly sanitized before being used in a SQL query. Remote attackers with low-level privileges can manipulate this parameter to inject arbitrary SQL statements. A public exploit has been released, demonstrating an attack chain from SQL injection to remote code execution. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
A public proof-of-concept demonstrates how this SQL injection flaw can be chained into remote code execution against vulnerable Visitor Management System 1.0 deployments.
Affected Products
- code-projects Visitor Management System 1.0
- Component: /vms/php/phone_0.php
- Vulnerable parameter: phone
Discovery Timeline
- 2026-05-31 - CVE-2026-10170 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10170
Vulnerability Analysis
The vulnerability exists in the PHP script /vms/php/phone_0.php shipped with code-projects Visitor Management System 1.0. The script accepts a phone parameter from a remote client and concatenates it into a SQL query without sanitization or parameterized binding. An authenticated attacker with low-privilege access can submit crafted input that alters query logic. The published exploit demonstrates extraction of database contents and escalation into remote code execution on the underlying host. The flaw is reachable over the network and requires no user interaction beyond submitting an HTTP request to the vulnerable endpoint.
Root Cause
The root cause is improper neutralization of user-supplied input before it reaches the SQL interpreter [CWE-74]. The phone argument is embedded directly into a query string rather than passed through prepared statements or input filtering. This pattern allows tautology-based injection, UNION-based extraction, and stacked query techniques depending on the database backend configuration.
Attack Vector
The attack vector is network-based. An attacker sends an HTTP request containing a malicious phone value to /vms/php/phone_0.php. Because the application interpolates the value into SQL, the attacker controls part of the executed query. Public proof-of-concept material on GitHub chains the injection with file write primitives, achieving remote code execution on the host. See the GitHub SQLi to RCE Exploit for technical details of the documented chain.
No verified vendor patch code is available. The vulnerability mechanism is documented in prose only, as the affected application is a small educational PHP project distributed by code-projects without a formal patch pipeline.
Detection Methods for CVE-2026-10170
Indicators of Compromise
- HTTP requests to /vms/php/phone_0.php containing SQL metacharacters such as single quotes, UNION SELECT, --, OR 1=1, or INTO OUTFILE in the phone parameter.
- Unexpected files written to web-accessible directories under the application root, indicative of SQLi-to-RCE staging.
- Database error messages or anomalous response sizes returned by phone_0.php.
- Outbound connections from the web server process to attacker-controlled infrastructure following requests to the vulnerable endpoint.
Detection Strategies
- Deploy web application firewall rules that flag SQL syntax tokens in the phone parameter of requests to phone_0.php.
- Enable database query logging and alert on queries originating from the Visitor Management System service account that contain unusual UNION, SLEEP, or LOAD_FILE constructs.
- Correlate web server access logs with file system change events in the web root to detect post-exploitation web shells.
Monitoring Recommendations
- Monitor for new PHP files created in the Visitor Management System directory after requests to phone_0.php.
- Track child processes spawned by the PHP interpreter; shells such as sh, bash, cmd.exe, or powershell.exe launched by the web server are high-fidelity signals.
- Review authentication logs for low-privilege accounts being used immediately before injection attempts.
How to Mitigate CVE-2026-10170
Immediate Actions Required
- Restrict network access to the Visitor Management System to trusted internal networks until a fix is applied.
- Remove or rename /vms/php/phone_0.php if the functionality is not required for operations.
- Audit the database used by the application for unauthorized accounts, tables, or stored procedures.
- Rotate database credentials and any secrets that may have been exposed through query output.
Patch Information
No official vendor patch has been published for code-projects Visitor Management System 1.0 at the time of writing. Organizations using this application should treat it as end-of-support and consider migrating to a maintained alternative. Refer to the VulDB Vulnerability #367424 entry for tracking updates.
Workarounds
- Place the application behind a web application firewall with rules blocking SQL injection patterns on the phone parameter.
- Modify phone_0.php to use prepared statements with parameter binding via PDO or mysqli instead of string concatenation.
- Run the PHP-FPM or web server process under a least-privilege account with no write access to the web root, limiting RCE impact.
- Enforce input validation that restricts the phone field to digits and a small set of formatting characters.
# Example WAF rule (ModSecurity) blocking SQLi tokens on the vulnerable endpoint
SecRule REQUEST_URI "@contains /vms/php/phone_0.php" \
"chain,deny,status:403,id:1026010170,msg:'CVE-2026-10170 SQLi attempt'"
SecRule ARGS:phone "@rx (?i)(union\s+select|or\s+1=1|--|/\*|into\s+outfile|load_file)" \
"t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
