Description
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_tecnical_user.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic SQL Injection flaw located in the edit_tecnical_user.php script of Personnel Property Equipment System v1.0. An attacker can inject arbitrary SQL statements when submitting form data, enabling unauthorized retrieval, modification, or deletion of data stored in the application's database. The weakness falls under CWE‑89, allowing attackers to compromise confidentiality, integrity, and potentially availability of the system.

Affected Systems

Personnel Property Equipment System version 1.0 sourced from Sourcecodester is affected. No specific vendor or product catalog beyond the CPE string indicates this release. Systems running this version, especially those exposed to web traffic, are at risk.

Risk and Exploitability

The CVSS score of 9.8 denotes a critical severity, and the low EPSS of less than 1% suggests that widespread exploitation is unlikely at present, though the flaw remains unpatched and could be actively targeted by determined adversaries. The vulnerability is publicly documented and exploitable remotely over standard web protocols via the /ppes/admin/edit_tecnical_user.php endpoint, requiring only valid form submission credentials or the ability to send crafted HTTP requests.

Generated by OpenCVE AI on April 16, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a newer version of Personnel Property Equipment System that addresses the SQL injection flaw.
  • Ensure all user inputs are properly sanitized or use parameterized queries to prevent injection of arbitrary SQL statements.
  • Restrict the database user privileges used by the application to the minimum necessary for its operation, limiting the potential impact of any injection attempt.

Generated by OpenCVE AI on April 16, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Personnel Property Equipment System 1.0

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester personnel Property Equipment System
Vendors & Products Sourcecodester
Sourcecodester personnel Property Equipment System

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Jon-remus-sevellejo
Jon-remus-sevellejo personnel Property Equipment System
Weaknesses CWE-89
CPEs cpe:2.3:a:jon-remus-sevellejo:personnel_property_equipment_system:1.0:*:*:*:*:*:*:*
Vendors & Products Jon-remus-sevellejo
Jon-remus-sevellejo personnel Property Equipment System
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_tecnical_user.php.
References

Subscriptions

Jon-remus-sevellejo Personnel Property Equipment System
Sourcecodester Personnel Property Equipment System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T20:22:41.328Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26701

cve-icon Vulnrichment

Updated: 2026-03-03T20:22:34.139Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T16:16:25.383

Modified: 2026-03-03T21:15:59.137

Link: CVE-2026-26701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses