Description
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection could expose confidential employee attendance data
Action: Patch immediately
AI Analysis

Impact

The vulnerability exists in the file manage_department.php of SourceCodester Online Employees Work From Home Attendance System version 1.0. It allows an attacker to inject arbitrary SQL statements through input handling in that script. The injected code can read from or write to the underlying database, which would compromise the confidentiality and integrity of employee attendance records. This weakness is a classic injection flaw categorized as CWE‑89.

Affected Systems

The affected system is SourceCodester Online Employees Work From Home Attendance System v1.0. The flaw is present in the /wfh_attendance/admin/manage_department.php component; no other versions or products are listed, so the impact is confined to this specific deployment.

Risk and Exploitability

The CVSS score of 2.7 classifies the issue as low severity. An attacker could likely exploit the flaw through the public web interface, as the description does not indicate any authentication requirement and the vulnerable endpoint is accessible via HTTP. EPSS data is unavailable and the vulnerability is not yet listed in the CISA KEV catalog, suggesting that exploitation attempts may be rare but still possible. Administrators should treat the vulnerability as a low‑risk but exploitable condition until a patch or workaround is applied.

Generated by OpenCVE AI on April 14, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch for Online Employees Work From Home Attendance System v1.0 quickly.
  • If no patch exists, modify the manage_department.php script to use parameterized queries or prepared statements to eliminate the injection vector.
  • Enforce strict authentication for the admin interface and restrict access to trusted network ranges.
  • Serve the application over HTTPS to protect input data in transit.
  • Monitor database logs for anomalous queries and conduct periodic vulnerability scans to detect any exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Online Employees Work From Home Attendance System 1.0

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Online Employees Work From Home Attendance System 1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Employees Work From Home Attendance System
Vendors & Products Sourcecodester
Sourcecodester online Employees Work From Home Attendance System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
References

Subscriptions

Sourcecodester Online Employees Work From Home Attendance System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:28:25.909Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37596

cve-icon Vulnrichment

Updated: 2026-04-14T15:28:18.445Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T15:16:33.513

Modified: 2026-06-17T10:41:36.910

Link: CVE-2026-37596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')