_explained / construction-software-sql-injection-exposes-project-data
HIGH PLAIN ENGLISH 5 min read

A Flaw in Popular Construction Software Could Let Hackers Steal Every Contract, Client, and Blueprint You Own

A publicly disclosed vulnerability in a widely used construction management platform lets remote attackers rifle through your entire project database — no password needed.

2026-04-27 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Construction Software SQL Injection CVE-2026-7075

If your construction firm runs its projects, contracts, and client data through itsourcecode's Construction Management System, a hacker sitting anywhere on the internet could already be reading every record in your database — and you would have absolutely no idea.

Who's at Risk — and What's Actually on the Line

Construction management software is the beating heart of modern building projects. It holds everything: subcontractor agreements, client personal and financial details, site location data, bid documents, and employee records. The itsourcecode Construction Management System 1.0 is a PHP-based platform marketed to small and mid-sized construction firms, project managers, and municipalities — organizations that rarely have a dedicated security team watching the door.

The vulnerability, tracked as CVE-2026-7075 and rated HIGH severity with a CVSS score of 7.3, requires no special access, no inside knowledge, and no sophisticated tooling. An attacker only needs a browser and a few minutes. The exploit code has already been made public, meaning the barrier to attack is essentially zero. If you are running this software today, you should treat this as an active emergency — even though confirmed attacks have not yet been publicly reported.

What an Attacker Can Actually Do to You

Imagine your construction management system as a locked filing cabinet sitting behind a reception desk. Normally, a visitor has to ask the receptionist to look something up for them, and the receptionist carefully retrieves only what they're supposed to. This vulnerability is the equivalent of discovering that the receptionist blindly follows any note slipped through the mail slot — including one that says "bring me every file in every drawer." The attacker doesn't need a key, an employee badge, or even a phone call.

The specific weak point is a location-tracking page inside the software — the screen where project managers record and look up job site addresses. When someone types an address into that field, the software is supposed to search only for that address. But because the software fails to properly sanitize what's typed in, an attacker can instead type a carefully crafted string of database commands disguised as an address. The database can't tell the difference between a legitimate search and a malicious instruction, so it obeys — handing over whatever the attacker asks for.

In a worst-case scenario, this goes beyond just reading data. Depending on how the underlying database server is configured, an attacker could potentially write new data, delete existing records, or — on misconfigured servers — execute commands directly on the machine hosting the software. That transforms a data-theft problem into a full system compromise, where ransomware deployment or persistent backdoor access becomes possible.

The Technical Detail Security Teams Need to Know

The vulnerability is a classic error-based / stacked SQL injection in the address parameter of /locations.php. The parameter is passed directly into a SQL query with no prepared statement binding and no input validation layer, making it trivially exploitable via tools like sqlmap with a single command. Because the application is PHP-based and cross-platform, it can run on both Linux and Windows server stacks, widening the potential attack surface considerably. Researchers and defenders should fingerprint exposed instances via the /locations.php endpoint and treat any externally accessible deployment as fully compromised until patched.

How This Came to Light

The vulnerability was publicly disclosed as part of a CVE assignment for itsourcecode Construction Management System version 1.0. The exploit has been made publicly available — meaning detailed instructions for reproducing the attack are now circulating in the security research community and, inevitably, on forums frequented by less scrupulous actors. No specific threat actor group or active exploitation campaign has been confirmed at the time of publication, but the public availability of working exploit code historically compresses the window between disclosure and active attack to days, sometimes hours. Small firms and municipal deployments are especially attractive targets because they are less likely to have intrusion detection systems that would catch early reconnaissance activity.

Three Things You Should Do Right Now

  1. Take the application offline or firewall it immediately. If your Construction Management System 1.0 installation is accessible from the public internet, block external access at your firewall or web server level today — before a patch is available. No project management convenience is worth a full database breach. If you must keep it running, restrict access to known IP addresses (your office, your VPN) using firewall allowlisting rules.
  2. Check for a patched version and contact the vendor directly. Visit the itsourcecode official repository or support channel and confirm whether a patched release beyond version 1.0 has been issued in response to CVE-2026-7075. If a fixed version exists, upgrade immediately and verify the /locations.php file in the new build includes parameterized queries or prepared statements before bringing the system back online.
  3. Audit your database logs for signs of existing compromise. Pull your database query logs for the past 30 to 90 days and search for anomalous patterns in queries touching the locations table — specifically any entries containing SQL keywords like UNION, SELECT, DROP, or unusual character sequences like --, ', or ; in address fields. If you find anything suspicious, treat your database as potentially exfiltrated, notify affected clients under your applicable data breach obligations, and engage a forensic incident response team.

The Bottom Line

SQL injection has been the number-one web application attack class for over two decades. It is not exotic. It is not sophisticated. It is the digital equivalent of leaving your front door open with a sign that says "come on in." The fact that a vulnerability this well-understood still ships in production software in 2026 is a reminder that security hygiene remains a crisis across the small-business software ecosystem. If you run this platform, act today — not after you finish the current project, not after the weekend. Today.

// TOPICS
#sql-injection#remote-code-execution#php#construction-management#cross-platform
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.