CVE-2026-7118 - Vulnerability Details

- code-projects Employee Management System cancel.php sql injection

Description

A security vulnerability has been detected in code-projects Employee Management System 1.0. The affected element is an unknown function of the file 370project/cancel.php. The manipulation of the argument id/token leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

Published: 2026-04-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in an unknown function of cancel.php within the Employee Management System 1.0. By manipulating the id or token parameter, an attacker can inject arbitrary SQL statements. This flaw is classified as an unsanitized input leading to SQL injection (CWE-74, CWE-89), which can result in unauthorized data disclosure or modification.

Affected Systems

The affected product is code-projects Employee Management System version 1.0. The vulnerability is located in the cancel.php script under the 370project directory. No other versions or components are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of <1% suggests it is unlikely to be widely exploited at present. It is not listed in the CISA KEV catalog. The attack vector is remote, as the exploit can be triggered through crafted HTTP requests. An attacker who successfully injects SQL can potentially read, modify, or delete employee data stored in the system's database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Employee Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Employee Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the vendor‑supplied security patch or upgrade to the latest release of Employee Management System that addresses the SQL injection in cancel.php.
If a patch is not available, modify the cancel.php script to use parameterized queries or prepared statements, ensuring that the id and token inputs are properly sanitized before incorporation into SQL commands.
Enforce strict access controls and authenticate users before allowing them to access cancel.php, restricting the exposed id/token parameter to authorized personnel only.
Deploy a web application firewall or intrusion detection system configured to detect and block typical SQL injection payloads targeting the id/token input.

Generated by OpenCVE AI on April 28, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul11.md
https://vuldb.com/submit/800857
https://vuldb.com/vuln/359718
https://vuldb.com/vuln/359718/cti

History

Tue, 28 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects employee Management System
Vendors & Products		Code-projects Code-projects employee Management System

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in code-projects Employee Management System 1.0. The affected element is an unknown function of the file 370project/cancel.php. The manipulation of the argument id/token leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Title		code-projects Employee Management System cancel.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul11.md https://vuldb.com/submit/800857 https://vuldb.com/vuln/359718 https://vuldb.com/vuln/359718/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Employee Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T11:15:11.622Z

Updated: 2026-04-27T13:42:44.597Z

Reserved: 2026-04-26T16:01:26.086Z

Link: CVE-2026-7118

Vulnrichment

Updated: 2026-04-27T13:40:15.404Z

NVD

Status : Deferred

Published: 2026-04-27T12:16:25.613

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7118

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object