Description
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/myitem_reuse.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection leading to database compromise
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw located in the /ppes/admin/myitem_reuse.php endpoint of Personnel Property Equipment System v1.0. It allows a malicious actor to inject arbitrary SQL statements, potentially enabling unauthorized data disclosure, modification, or even privilege escalation on the underlying database. The weakness is identified as CWE-89, reflecting a failure to properly escape or parameterize user-supplied input. This flaw can undermine both the confidentiality and integrity of enterprise data.

Affected Systems

Personnel Property Equipment System (version 1.0) developed by Jon Remus Sevellejo is affected. No other versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. It is likely exploitable via authenticated web requests to the vulnerable PHP script, though no specific authentication requirement is described in the data. Attackers would need network access to the web server and could trigger the flaw by submitting crafted input through the relevant endpoint.

Generated by OpenCVE AI on April 17, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or upgrade Personnel Property Equipment System to a version that removes the SQL injection flaw
  • Disable or restrict access to the /ppes/admin/myitem_reuse.php endpoint until a patch is available, using URL or firewall rules
  • Enable logging and monitor for suspicious activity against the endpoint, and consider implementing a web application firewall to block injection attempts

Generated by OpenCVE AI on April 17, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Personnel Property Equipment System allowing unauthorized database access

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester personnel Property Equipment System
Vendors & Products Sourcecodester
Sourcecodester personnel Property Equipment System

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Jon-remus-sevellejo
Jon-remus-sevellejo personnel Property Equipment System
Weaknesses CWE-89
CPEs cpe:2.3:a:jon-remus-sevellejo:personnel_property_equipment_system:1.0:*:*:*:*:*:*:*
Vendors & Products Jon-remus-sevellejo
Jon-remus-sevellejo personnel Property Equipment System
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/myitem_reuse.php.
References

Subscriptions

Jon-remus-sevellejo Personnel Property Equipment System
Sourcecodester Personnel Property Equipment System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T20:27:03.430Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26702

cve-icon Vulnrichment

Updated: 2026-03-03T20:26:56.124Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T15:16:36.553

Modified: 2026-03-03T21:15:59.317

Link: CVE-2026-26702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses