Description
A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the /changepassemp.php script of code‑projects Employee Management System 1.0, where manipulation of the ID argument allows unsanitized data to be reflected back in the page, enabling a classic client‑side cross site scripting flaw. Attackers can craft a malicious URL with injected script, which is then executed in the victim’s browser when the page is loaded, potentially allowing theft of session cookies, unauthorized access, or navigation to phishing sites. The weakness corresponds to CWE‑79, reflecting the lack of proper output encoding and input validation. The impact is limited to the victim’s browser session and data, but it can be leveraged by attackers to compromise user accounts and perform social engineering attacks.

Affected Systems

Affected product: code‑projects Employee Management System version 1.0. No other versions or vendors were listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, with an existence of a published exploit and the ability to be delivered from remote. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at the time of reporting. Nonetheless, because the flaw can be triggered by a crafted URL and does not require local privileges, the risk remains significant for exposed installations.

Generated by OpenCVE AI on May 25, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or upgrade to the latest version of Employee Management System once a vendor patch becomes available
  • Sanitize the ID parameter in changepassemp.php and encode all dynamic output to prevent script injection
  • Implement a Content Security Policy that restricts inline scripts and prevents execution of untrusted code

Generated by OpenCVE AI on May 25, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.
Title code-projects Employee Management System changepassemp.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T02:30:10.304Z

Reserved: 2026-05-24T06:43:05.257Z

Link: CVE-2026-9418

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T05:00:12Z

Weaknesses