CVE-2026-5326 - Vulnerability Details

Description

A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.

Published: 2026-04-02

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper authorization check in the User Information Handler allows a remote attacker to manipulate the ID parameter and gain unauthorized access to user data. The vulnerability results in a privilege escalation where any authenticated user can view or modify other users’ information. The weakness is classified as CWE-285 and CWE-639, reflecting an incorrect permission check and an instance of unintended information disclosure through insecure direct object references.

Affected Systems

SourceCodester:Leave Application System version 1.0 is affected by the flaw. The issue exists in the file /index.php?page=manage_user, which is part of the User Information component and allows attackers to target this component in a web application context.

Risk and Exploitability

The vulnerability scores a CVSS of 6.9, indicating a moderate to high severity. No EPSS data is available, and it is not listed in the CISA KEV catalog, suggesting the exploitation likelihood is not formally quantified. The attack requires only remote access to the application and can be performed by sending a crafted request that modifies the ID argument. Once exploited, it enables unauthorized viewing or modification of user details, potentially exposing personal data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Leave Application System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Leave Application System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and apply the latest security patch for SourceCodester Leave Application System from the vendor’s official website.
If a patch is not yet released, restrict access to the /index.php?page=manage_user endpoint to administrators only.
Implement role‑based access control checks on the server side to verify that the requesting user has permission to view the requested user ID.
Monitor web application logs for anomalous ID parameter values and investigate any unauthorized access attempts.
If the vendor offers a temporary mitigation or configuration update, apply it until a full patch is available.

Generated by OpenCVE AI on April 2, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea
https://vuldb.com/submit/780773
https://vuldb.com/vuln/354657
https://vuldb.com/vuln/354657/cti
https://www.sourcecodester.com/

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester leave Application System
Vendors & Products		Sourcecodester Sourcecodester leave Application System

Thu, 02 Apr 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.
Title		SourceCodester Leave Application System User Information index.php authorization
Weaknesses		CWE-285 CWE-639
References		https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea https://vuldb.com/submit/780773 https://vuldb.com/vuln/354657 https://vuldb.com/vuln/354657/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Leave Application System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-02T10:45:10.736Z

Updated: 2026-04-02T10:45:10.736Z

Reserved: 2026-04-01T13:18:37.607Z

Link: CVE-2026-5326

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-02T11:16:23.010

Modified: 2026-04-02T11:16:23.010

Link: CVE-2026-5326

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:32Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object