What is the CVSS score of CVE-2026-39109?

CVE-2026-39109 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.2%.

Which versions of PHP are affected by CVE-2026-39109?

Apartment Visitors Management System V1.1 contains a critical SQL injection vulnerability in the login form that allows unauthenticated attackers to bypass authentication and access the entire…

PHP CVE-2026-39109

EUVD-2026-23918 CRITICAL

SQL Injection (CWE-89)

2026-04-20 mitre

GHSA-mr7v-cwcf-gg84

PHP SQLi N A

9.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 20, 2026 - 20:32 vuln.today

CVSS changed

Apr 20, 2026 - 19:22 NVD

9.4 (CRITICAL)

EUVD ID Assigned

Apr 20, 2026 - 18:00 euvd

EUVD-2026-23918

Analysis Generated

Apr 20, 2026 - 18:00 vuln.today

CVE Published

Apr 20, 2026 - 00:00 nvd

CRITICAL 9.4

DescriptionNVD

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database contents.

AnalysisAI

SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. …

RemediationAI

Within 24 hours: Inventory all systems running Apartment Visitors Management System V1.1 and isolate internet-facing instances from public access using network segmentation or firewall rules. Within 7 days: Contact the vendor for patch availability status and timeline; if unavailable, implement Web Application Firewall (WAF) rules to block SQL injection patterns in the username parameter. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39109 vulnerability details – vuln.today

Back