Description
A vulnerability was identified in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A malicious user can manipulate the ID parameter in the 370project/edit.php page of code‑projects Employee Management System 1.0, causing the application to output unsanitized script content. The vulnerability allows an attacker to inject arbitrary HTML or JavaScript that is executed in the browsers of users who view the affected page. Such cross‑site scripting can lead to session hijacking, credential theft, defacement, or the delivery of further malware.

Affected Systems

The affected product is code‑projects Employee Management System, version 1.0. The flaw resides in an unknown section of the file 370project/edit.php, which processes the ID argument supplied by the user.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; the EPSS score of < 1% suggests very low current exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote input via the ID parameter, and exploitation only requires a victim to visit the vulnerable page. While publicly available exploit code exists, active exploitation is currently unlikely based on the EPSS and KEV data.

Generated by OpenCVE AI on April 28, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any official patch that sanitises the ID parameter in edit.php
  • Validate the ID input and encode output so that no script tags are reflected in the browser
  • Configure a Web Application Firewall rule to block script injection attempts on the edit.php endpoint

Generated by OpenCVE AI on April 28, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects employee Management System
Vendors & Products Code-projects
Code-projects employee Management System

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title code-projects Employee Management System edit.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:07:43.330Z

Reserved: 2026-04-26T08:54:37.729Z

Link: CVE-2026-7095

cve-icon Vulnrichment

Updated: 2026-04-27T12:07:39.203Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T08:16:02.350

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses