Description
SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.
Published: 2026-04-16
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: SQL Injection allowing unauthorized data access and potential modification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the SourceCodester Payroll Management and Information System v1.0, specifically in the /payroll/view_account.php endpoint. The script accepts an employee ID through an HTTP GET parameter without proper input validation or sanitization, enabling an attacker to inject arbitrary SQL commands. This flaw can lead to the disclosure of sensitive payroll data and potentially the alteration or deletion of records, compromising the confidentiality and integrity of the system.

Affected Systems

The only documented affected product is SourceCodester Payroll Management and Information System version 1.0. No specific vendor or additional product versions are listed. A system running this application and exposing the /payroll/view_account.php page is directly impacted.

Risk and Exploitability

Because the vulnerability is exploitable via a standard web request, the attack vector is likely remote, requiring only the ability to send crafted URLs to the target server. The CVSS score is 4.7, reflecting a moderate risk that still allows an attacker to read and potentially modify sensitive payroll data if exploited. The vulnerability is not currently cataloged in CISA's KEV, but the absence of a patch or mitigation advice does not diminish its severity.

Generated by OpenCVE AI on April 17, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize user input and use parameterized queries for the emp_id value in /payroll/view_account.php
  • Restrict the database account used by the application to the minimum privileges required, eliminating unnecessary write permissions
  • Validate the format and length of emp_id before executing any database operation

Generated by OpenCVE AI on April 17, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in /payroll/view_account.php of SourceCodester Payroll Management System v1.0

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester payroll Management And Information System
Vendors & Products Sourcecodester
Sourcecodester payroll Management And Information System

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.
References

Subscriptions

Sourcecodester Payroll Management And Information System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T15:44:44.805Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37346

cve-icon Vulnrichment

Updated: 2026-04-16T15:43:52.038Z

cve-icon NVD

Status : Received

Published: 2026-04-16T15:17:37.560

Modified: 2026-04-16T16:16:17.277

Link: CVE-2026-37346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T05:00:05Z

Weaknesses