CVE-2021-38833

CRITICAL

PHPGurukul AVMS <1.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-38833. PoCs published by mari0x00.

AI-analyzed exploit summary This exploit leverages a SQL injection vulnerability in Apartment Visitor Management System (AVMS) 1.0 to write a PHP webshell to the target system. It then uses this webshell to execute a PowerShell reverse shell payload, providing remote command execution.

Description

SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.

Exploits (1)

exploitdb WORKING POC
by mari0x00 · pythonwebappsphp
https://www.exploit-db.com/exploits/50288

This exploit leverages a SQL injection vulnerability in Apartment Visitor Management System (AVMS) 1.0 to write a PHP webshell to the target system. It then uses this webshell to execute a PowerShell reverse shell payload, providing remote command execution.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Apartment Visitor Management System (AVMS) 1.0
No auth needed
Prerequisites: Target system running AVMS 1.0 · Network access to the target system · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50288
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38833
Exploit, Third Party Advisory x_refsource_misc
https://streamable.com/ojobew

Scores

CVSS v3 9.8
EPSS 0.0224
EPSS Percentile 80.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
apartment_visitors_management_system_project/apartment_visitors_management_system 1.0
Published Sep 13, 2021
Tracked Since Feb 18, 2026