Description
SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.
Published: 2026-04-16
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Unauthorized database access and potential data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The payroll management system allows arbitrary SQL commands to be executed through the employee view page, potentially enabling attackers to read or alter sensitive payroll data such as employee salaries and personal details. This flaw is a SQL Injection vulnerability identified as CWE-89, indicating improper handling of user input in SQL statements.

Affected Systems

SourceCodester Payroll Management and Information System version 1.0, specifically the /payroll/view_employee.php page. No further vendor or version details are provided.

Risk and Exploitability

With a CVSS score of 9.1, the vulnerability is classified as critical. The EPSS score is not available, so the probability of exploitation remains uncertain. Based on typical attack patterns for SQL injection in web applications, it is inferred that an attacker who submits a crafted request to /payroll/view_employee.php could gain unauthenticated access to the database and read or modify sensitive payroll data, compromising data confidentiality and integrity. The vulnerability is not listed in the CISA KEV catalog, yet the high severity warrants urgent attention from security teams.

Generated by OpenCVE AI on April 17, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch for SourceCodester Payroll Management and Information System v1.0
  • If no patch is available, refactor the view_employee.php code to use prepared statements or parameterized queries
  • Restrict the database user used by the application to the minimum privileges required, ideally read‑only unless write access is essential
  • Implement input validation or sanitization on all user‑supplied parameters before they are incorporated into SQL statements
  • Deploy a web application firewall rule set that blocks common SQL injection payload patterns

Generated by OpenCVE AI on April 17, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Payroll Management System /payroll/view_employee.php

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester payroll Management And Information System
Vendors & Products Sourcecodester
Sourcecodester payroll Management And Information System

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.
References

Subscriptions

Sourcecodester Payroll Management And Information System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T15:38:38.249Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37347

cve-icon Vulnrichment

Updated: 2026-04-16T15:36:09.836Z

cve-icon NVD

Status : Received

Published: 2026-04-16T15:17:37.670

Modified: 2026-04-16T16:16:17.457

Link: CVE-2026-37347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses