The Personnel Property Equipment System version 1.0 contains a classic SQL injection weakness located in the edit_employee.php file. According to the description, attackers who successfully exploit this flaw can manipulate the underlying database queries, which enables unauthorized disclosure, alteration, or deletion of employee records. Because the data handled by the system is typically confidential personnel and organizational information, the impact extends to confidentiality, integrity, and potential availability of the database. The associated weakness type is CWE‑89, reflecting unsanitized input in a dynamic SQL statement.

The affected system is the Personnel Property Equipment System, version 1.0, developed by Jon‑Remus Sevellejo. It is a web‑based application that manages personnel, property, and equipment data for organizations.

The CVSS score of 9.8 signals a high‑sever integration vulnerability, while the EPSS score of less than 1 % indicates that widespread exploitation has not yet been observed but remains possible. The vulnerability is not listed in the CISA KEV catalog. Based only on the description, the likely attack vector is via the web interface, potentially requiring administrative authentication to access edit_employee.php. A successful exploitation would directly compromise the confidentiality and integrity of the database, and could be a stepping stone toward broader system compromise if the database is used by other applications.