Description
A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Employee Management System’s /myprofile.php, where manipulating the ID argument can lead to a cross‑site scripting injection. This flaw allows an attacker to embed arbitrary JavaScript that will run in the victim’s browser when the page is viewed, potentially hijacking sessions, defacing content, or executing further phishing actions. The weakness aligns with CWE‑79 (XSS) and, due to the code‑execution nature, also reflects aspects of CWE‑94 (Code Injection).

Affected Systems

The flaw has been confirmed in code‑projects Employee Management System version 1.0. No impact certainty is established for other releases, and the vendor has not disclosed a fix or a newer version in the available data.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium severity range, and it is not listed in the CISA KEV catalog. EPSS information is unavailable, but the described remote exploit path—sending a crafted ID parameter to a publicly accessible URL—implies that a remote attacker can trigger the vulnerability from anywhere with network connectivity to the affected server. The lack of a publicly available patch increases the urgency for mitigation.

Generated by OpenCVE AI on May 25, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of Employee Management System where the XSS issue is resolved.
  • If an immediate upgrade is not possible, modify the /myprofile.php handler to enforce rigorous input validation and output encoding on the ID parameter to neutralize malicious scripts.
  • Deploy application‑level defenses such as a web application firewall to detect and block common XSS payloads targeting the ID field.

Generated by OpenCVE AI on May 25, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Employee Management System myprofile.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T02:00:10.443Z

Reserved: 2026-05-24T06:42:59.906Z

Link: CVE-2026-9416

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T03:30:15Z

Weaknesses