CVE-2026-4223 - Vulnerability Details

Description

A vulnerability was identified in itsourcecode Payroll Management System 1.0. This issue affects some unknown processing of the file /manage_employee.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.

Published: 2026-03-16

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in itsourcecode Payroll Management System 1.0 where the manage_employee.php script incorporates the ID parameter directly into SQL queries without adequate sanitization. Manipulating this ID argument allows an attacker to execute arbitrary SQL statements, potentially exposing confidential payroll information, altering employee records, or deleting data. The vulnerability is classified as CWE‑74 and CWE‑89.

Affected Systems

The affected product is itsourcecode Payroll Management System, specifically version 1.0 as indicated by the vendors and CPE information provided.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% shows a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be exploited remotely via the /manage_employee.php endpoint, with an publicly available exploit that accepts a crafted ID parameter to inject SQL commands. No local privilege escalation requirements are mentioned in the provided data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Payroll Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:angeljudesuarez:payroll_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

Payroll Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website or repository for an update to Payroll Management System 1.0 and apply it immediately if available.
If no update exists, limit exposure of /manage_employee.php by restricting access to trusted IP ranges or temporarily disabling the script.
Verify that the application validates and sanitizes the ID parameter and that database operations use parameterized queries to prevent direct SQL concatenation.
Deploy or configure a web application firewall to detect and block common SQL injection patterns targeting the ID parameter.
Monitor application logs for attempted SQL injection attacks and respond to suspicious activity promptly.

Generated by OpenCVE AI on March 20, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ltranquility/cve_submit/issues/12
https://itsourcecode.com/
https://vuldb.com/?ctiid.351147
https://vuldb.com/?id.351147
https://vuldb.com/?submit.771109

History

Fri, 20 Mar 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Angeljudesuarez Angeljudesuarez payroll Management System
CPEs		cpe:2.3:a:angeljudesuarez:payroll_management_system:1.0:::::::*
Vendors & Products		Angeljudesuarez Angeljudesuarez payroll Management System

Mon, 16 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in itsourcecode Payroll Management System 1.0. This issue affects some unknown processing of the file /manage_employee.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Title		itsourcecode Payroll Management System manage_employee.php sql injection
First Time appeared		Itsourcecode Itsourcecode payroll Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:itsourcecode:payroll_management_system::::::::
Vendors & Products		Itsourcecode Itsourcecode payroll Management System
References		https://github.com/ltranquility/cve_submit/issues/12 https://itsourcecode.com/ https://vuldb.com/?ctiid.351147 https://vuldb.com/?id.351147 https://vuldb.com/?submit.771109
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Angeljudesuarez Payroll Management System

Itsourcecode Payroll Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-16T07:02:08.708Z

Updated: 2026-03-16T18:43:51.549Z

Reserved: 2026-03-15T16:34:49.258Z

Link: CVE-2026-4223

Vulnrichment

Updated: 2026-03-16T18:43:47.000Z

NVD

Status : Analyzed

Published: 2026-03-16T14:20:14.950

Modified: 2026-03-20T12:52:14.457

Link: CVE-2026-4223

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:45:38Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object