Description
A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in code‑projects Employee Management System 1.0 permits a remote attacker to inject unsanitized JavaScript via the ID parameter of the /eloginwel.php file. The injected script can run in the victim's browser, enabling actions such as credential theft, session hijacking, or site defacement. The flaw is rooted in insufficient input validation (CWE‑79) and may also allow server‑side code injection (CWE‑94).

Affected Systems

The affected product is code‑projects Employee Management System version 1.0; the flaw resides in the /eloginwel.php file and may impact any deployment using this component. No other versions are explicitly listed as vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS data is not available, so the likelihood of exploitation remains uncertain. The flaw can be triggered remotely by sending a crafted HTTP request to /eloginwel.php with a malicious ID value, and public exploit code is available. The vulnerability is not yet listed in CISA’s KEV catalog, but the presence of an active exploit demonstrates that it can be abused in the field.

Generated by OpenCVE AI on May 25, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Employee Management System to a version that sanitizes the ID parameter in eloginwel.php.
  • If an update is not yet available, enforce strict server‑side validation that accepts only numeric identifiers and escape or reject all other input before rendering.
  • Implement a Content Security Policy that blocks inline script execution and limits source domains, thus containing any accidental client‑side payload execution.

Generated by OpenCVE AI on May 25, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title code-projects Employee Management System eloginwel.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T01:45:09.043Z

Reserved: 2026-05-24T06:42:57.298Z

Link: CVE-2026-9415

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T03:30:15Z

Weaknesses