SQL injection vulnerability discovered in Apartment Visitors Management System V1.1 affecting the email parameter on the forgot password page (forgot-password.php). The vulnerability allows unauthenticated attackers to manipulate backend SQL queries and retrieve sensitive user data. The flaw is located in a common authentication bypass scenario where password reset functionality lacks proper input validation. This represents a critical security issue as it requires no authentication and can lead to data exfiltration.