CVE-2026-13525 - Vulnerability Details

Description

A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee_model.php of the component Update_Earn_Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

Published: 2026-06-29

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An input parameter named emid is passed to the emselectByCode function of the Update_Earn_Leave endpoint and is concatenated directly into a SQL statement. This allows an attacker to inject arbitrary SQL code, gaining the ability to read, modify, or delete employee records stored in the database. The vulnerability is a classic instance of CWE‑74 and CWE‑89, where untrusted input reaches a database query without proper sanitization. Compromise of the HRMS database would affect confidentiality, integrity, and availability of personnel information.

Affected Systems

The vulnerability impacts CodeAstro Human Resource Management System version 1.0. Any deployment of this product that incorporates the unsanitized emid input in the Update_Earn_Leave endpoint is susceptible, as no later releases are mentioned.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score is not available, leaving the exact exploitation likelihood uncertain. The public exploit code referenced in external resources demonstrates that a remote attacker possessing network access to the API can trigger the injection. Although the vulnerability is not listed in the CISA KEV catalog, the existence of a working exploit raises the risk that attacks may spread if the system remains unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CodeAstro

Human Resource Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the CodeAstro Human Resource Management System to a version that resolves the emselectByCode input handling, if a vendor patch is available.
Modify the emselectByCode function to employ parameterized queries or prepared statements so that the emid value is never concatenated into raw SQL.
Restrict the database user's privileges to the least amount required, such as only SELECT, INSERT, UPDATE, and DELETE on the relevant tables, to limit the impact of a successful injection.
Deploy application and database monitoring alerts to detect unusual query patterns that may indicate injection attempts.

Generated by OpenCVE AI on June 29, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://codeastro.com/
https://github.com/ashikmd0507/CVE/tree/main/Time-Based%20Blind%20SQL%20Injection%20in%20Update_Earn_Leave%20via%20emid%20Parameter
https://vuldb.com/cve/CVE-2026-13525
https://vuldb.com/submit/840506
https://vuldb.com/vuln/374533
https://vuldb.com/vuln/374533/cti

History

Mon, 29 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee_model.php of the component Update_Earn_Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
Title		CodeAstro Human Resource Management System Update_Earn_Leave Endpoint Employee_model.php emselectByCode sql injection
First Time appeared		Codeastro Codeastro human Resource Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:codeastro:human_resource_management_system::::::::
Vendors & Products		Codeastro Codeastro human Resource Management System
References		https://codeastro.com/ https://github.com/ashikmd0507/CVE/tree/main/Time-Based%20Blind%20SQL%20Injection%20in%20Update_Earn_Leave%20via%20emid%20Parameter https://vuldb.com/cve/CVE-2026-13525 https://vuldb.com/submit/840506 https://vuldb.com/vuln/374533 https://vuldb.com/vuln/374533/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Codeastro Human Resource Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-29T02:00:09.127Z

Updated: 2026-06-29T02:00:09.127Z

Reserved: 2026-06-28T07:51:35.247Z

Link: CVE-2026-13525

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T04:00:05Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object