CVE-2026-7116 - Vulnerability Details

- code-projects Employee Management System mark.php cross site scripting

Description

A security flaw has been discovered in code-projects Employee Management System 1.0. This issue affects some unknown processing of the file 370project/mark.php. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

Published: 2026-04-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Code‑Projects Employee Management System 1.0 contains an input handling flaw in mark.php that allows attackers to inject arbitrary script code. This vulnerability is a typical cross‑site scripting (XSS) flaw, identified as CWE‑79, and it also potentially permits code execution via the content of the injected input, reflected in CWE‑94. Successful exploitation can lead to session hijacking, credential theft, and defacement of the web interface.

Affected Systems

The affected product is the code‑projects Employee Management System. No specific version numbers beyond 1.0 are listed, and the description indicates that the flaw impacts file 370project/mark.php within this system. Administrators should verify whether they are running the impacted module and scan their environment for the presence of the vulnerable file.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. However, the vulnerability is publicly documented and the exploit code has been released, meaning that a determined adversary could easily craft a malicious request. Since the flaw allows remote execution through standard HTTP traffic, the attack vector is likely remote. The vulnerability is not listed in the CISA KEV catalog, but the combination of the score and public exploitation urges prompt action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Employee Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Employee Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update or patch the Employee Management System to a version that contains the fix once the vendor releases one.
Sanitize or encode all user‑supplied data in mark.php before rendering it to the browser to prevent script injection.
Deploy a web application firewall rule that blocks script tags or excessive script injection patterns on the target page.

Generated by OpenCVE AI on April 28, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul6.md
https://vuldb.com/submit/800836
https://vuldb.com/submit/800837
https://vuldb.com/vuln/359716
https://vuldb.com/vuln/359716/cti

History

Wed, 29 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects employee Management System
Vendors & Products		Code-projects Code-projects employee Management System

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in code-projects Employee Management System 1.0. This issue affects some unknown processing of the file 370project/mark.php. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Title		code-projects Employee Management System mark.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://code-projects.org/ https://github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul6.md https://vuldb.com/submit/800836 https://vuldb.com/submit/800837 https://vuldb.com/vuln/359716 https://vuldb.com/vuln/359716/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Employee Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T10:45:10.548Z

Updated: 2026-04-29T13:50:39.536Z

Reserved: 2026-04-26T16:01:08.440Z

Link: CVE-2026-7116

Vulnrichment

Updated: 2026-04-29T13:50:35.495Z

NVD

Status : Deferred

Published: 2026-04-27T12:16:25.243

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7116

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object