Description
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: Data Compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection present in the file /wfh_attendance/admin/attendance_list.php of the SourceCodester Online Employees Work From Home Attendance System version 1.0. Attackers can inject malicious SQL statements through input fields that are directly concatenated into database queries, permitting unauthorized read, modification, or deletion of employee attendance data. This could expose sensitive personal information and allow manipulation of attendance records, potentially impacting payroll, compliance, and employee trust.

Affected Systems

The affected product is SourceCodester Online Employees Work From Home Attendance System version 1.0, a web-based application used to track remote work attendance. No other vendor or product information is reported.

Risk and Exploitability

The flaw arises from unsanitized input in a publicly accessible web interface, making it easily exploitable by remote attackers. While a CVSS score and EPSS value are not provided, the nature of the flaw suggests a high risk of data compromise. The vulnerability is not listed in the CISA KEV catalog, and no official patch has been identified, so the likelihood of current exploitation cannot be determined. Attackers would likely gain unauthorized access to the database by crafting input that is injected into SQL queries.

Generated by OpenCVE AI on April 14, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement input validation and use prepared statements or parameterized queries in the affected PHP files to prevent unsanitized SQL construction.
  • Update to a patched version of the Online Employees Work From Home Attendance System or apply the vendor's official fix when it becomes available.
  • Restrict access to the admin area to trusted users and enforce the principle of least privilege.
  • Deploy a web application firewall to detect and block SQL injection attempts.
  • Audit all application code for similar insecure query construction and remediate any other potential injection points.

Generated by OpenCVE AI on April 14, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Online Employees Work From Home Attendance System

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Employees Work From Home Attendance System
Vendors & Products Sourcecodester
Sourcecodester online Employees Work From Home Attendance System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
References

Subscriptions

Sourcecodester Online Employees Work From Home Attendance System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:27:12.818Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37597

cve-icon Vulnrichment

Updated: 2026-04-14T15:27:05.789Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:33.637

Modified: 2026-04-14T16:16:42.063

Link: CVE-2026-37597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:49Z

Weaknesses