Description
A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Employee Management System 1.0 in the file /empproject.php. By manipulating the ID argument, an attacker can inject arbitrary script code into the browser context, enabling remote execution of JavaScript. The injected payload can steal credentials, hijack sessions, or perform actions on behalf of the user, thereby compromising confidentiality and integrity of the system.

Affected Systems

The affected product is code‑projects Employee Management System version 1.0. The bug is tied to the /empproject.php module; no specific patch versions are listed in the advisory. Systems running this version without a recent update are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, so the probability of a large‑scale exploitation is uncertain. However, the nature of the flaw—remote cross‑site scripting via a publicly exposed URL—makes it attractive for attackers who can employ automated scanners or craft malicious links. If the exploit is already public, an attacker can directly target any exposed instance of the application.

Generated by OpenCVE AI on May 25, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of the code‑projects Employee Management System that fixes the ID parameter sanitization in /empproject.php.
  • Limit access to the /empproject.php endpoint to authenticated and authorized users only.
  • Implement server‑side input validation for the ID parameter and escape all output before rendering the page.

Generated by OpenCVE AI on May 25, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Employee Management System empproject.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T02:45:10.701Z

Reserved: 2026-05-24T06:43:08.588Z

Link: CVE-2026-9419

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T04:30:16Z

Weaknesses