Description
A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the /myprofileup.php file of the code‑projects Employee Management System allows an attacker to manipulate the ID parameter and inject arbitrary script that is executed in the victim’s browser. Based on the description, it is inferred that this vulnerability can be triggered remotely and that users who can access the page could exploit it without additional privileges. The effect is to steal session cookies, deface pages, or execute further malicious actions on behalf of the user.

Affected Systems

code‑projects Employee Management System, released version 1.0. All installations containing the unpatched /myprofileup.php script are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk; the EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw can be triggered remotely via a manipulated ID argument, an attacker with web access can create the payload without additional privileges. No special conditions are required beyond sending a crafted request to the vulnerable page.

Generated by OpenCVE AI on May 25, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Employee Management System to the latest released version that contains the patch for the XSS vulnerability.
  • Sanitize and validate all user‑supplied input for the ID parameter before use, rejecting non‑numeric values.
  • Encode output in browsers or use standard libraries to ensure that any data displayed is properly escaped, preventing script execution.

Generated by OpenCVE AI on May 25, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Title code-projects Employee Management System myprofileup.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T02:15:10.880Z

Reserved: 2026-05-24T06:43:02.642Z

Link: CVE-2026-9417

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T06:00:09Z

Weaknesses