CVE-2026-5576 - Vulnerability Details

- SourceCodester/jkev Record Management System Add Employee save_emp.php unrestricted upload

Description

A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affected by this issue is some unknown functionality of the file save_emp.php of the component Add Employee Page. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.

Published: 2026-04-05

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw appears in the save_emp.php script of the Add Employee page and permits an attacker to upload any file type without validation. This unrestricted upload, classed under CWE-284 (Incorrect Authorization) and CWE-434 (Unrestricted Upload of File with Dangerous Type), can be exploited by an attacker who remotely uploads malicious content to the server. While the CVE description states that remote exploitation is possible, it does not explicitly confirm that uploaded files will be executed; the ability to run arbitrary code is inferred based on the nature of the upload and the availability of a published exploit.

Affected Systems

SourceCodester Record Management System 1.0 and its equivalent jkev Record Management System 1.0 are affected. The vulnerability resides in the add‑employee module and does not affect other components listed for this release.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The CVE notes that a public exploit exists and that remote exploitation is possible; thus, attackers could send a malicious payload to the vulnerable save_emp.php endpoint over the network. This could lead to remote code execution if the web server or application later processes the file as executable, though such execution is inferred rather than confirmed from the public statement.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Record Management System

affected

Version	Status	Constraints
`1.0`	affected	—

jkev

Record Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Jkev

Record Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Sourcecodester

Record Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch for SourceCodester Record Management System 1.0 if available
If no patch exists, configure the upload functionality to allow only approved file types and MIME types
Disable or remove the vulnerable save_emp.php endpoint if it is not required
Deploy a web application firewall to block suspicious file upload attempts
Monitor server logs for anomalous upload activity

Generated by OpenCVE AI on April 5, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/whatyourname12345/CVE/blob/main/PRMS/cve_Arbitrary%20File%20Upload%20to%20RCE.md
https://vuldb.com/submit/783473
https://vuldb.com/vuln/355346
https://vuldb.com/vuln/355346/cti

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jkev Jkev record Management System Sourcecodester Sourcecodester record Management System
Vendors & Products		Jkev Jkev record Management System Sourcecodester Sourcecodester record Management System

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 05 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affected by this issue is some unknown functionality of the file save_emp.php of the component Add Employee Page. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title		SourceCodester/jkev Record Management System Add Employee save_emp.php unrestricted upload
Weaknesses		CWE-284 CWE-434
References		https://github.com/whatyourname12345/CVE/blob/main/PRMS/cve_Arbitrary%20File%20Upload%20to%20RCE.md https://vuldb.com/submit/783473 https://vuldb.com/vuln/355346 https://vuldb.com/vuln/355346/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jkev Record Management System

Sourcecodester Record Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-05T15:15:11.335Z

Updated: 2026-04-06T15:26:32.511Z

Reserved: 2026-04-04T14:45:21.680Z

Link: CVE-2026-5576

Vulnrichment

Updated: 2026-04-06T15:26:28.107Z

NVD

Status : Deferred

Published: 2026-04-05T16:16:19.123

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5576

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:56:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object