Description
A vulnerability was identified in code-projects Employee Management System 1.0. This vulnerability affects unknown code of the file 370project/delete.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection that can lead to unauthorized data disclosure and modification
Action: Patch
AI Analysis

Impact

A vulnerability was identified in code-projects Employee Management System 1.0, specifically in the delete.php file. Manipulating the ID argument allows attackers to inject arbitrary SQL statements, leading to unauthorized data access, alteration, or deletion. The flaw is a classic SQL injection issue, classified under CWE-74 and CWE-89, and can compromise database confidentiality and integrity.

Affected Systems

The affected system is code-projects Employee Management System version 1.0. No other vendor or product variants are listed, and the vulnerability resides in an unknown code section of delete.php, which is part of the employee management web application. Systems running this version without a patch are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. The EPSS score is less than 1%, suggesting low current exploitation probability, and the issue is not yet listed in the CISA KEV catalog. The attack may be launched remotely, as the exploit is publicly available and might be used by attackers with network access to the web application.

Generated by OpenCVE AI on April 28, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a newer release that fixes the SQL injection in delete.php.
  • Modify the delete.php code to use parameterized queries and validate the ID input to block injection attempts.
  • Implement a Web Application Firewall rule to detect and block SQL injection patterns targeting the delete.php endpoint.

Generated by OpenCVE AI on April 28, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects employee Management System
Vendors & Products Code-projects
Code-projects employee Management System

Mon, 27 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in code-projects Employee Management System 1.0. This vulnerability affects unknown code of the file 370project/delete.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
Title code-projects Employee Management System delete.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T10:59:51.391Z

Reserved: 2026-04-26T16:01:04.096Z

Link: CVE-2026-7115

cve-icon Vulnrichment

Updated: 2026-04-27T10:59:47.839Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T11:16:02.507

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses