Description
A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in an unspecified function of the /applyleave.php file. By manipulating the ID query string, an attacker can inject arbitrary JavaScript that will execute in the victim’s browser while the page is rendered. Based on the description, it is inferred that this enables theft of session cookies, unauthorized actions performed on behalf of the user, or redirecting the victim to malicious sites. The weakness is rooted in improper input validation and output encoding (CWE‑79) and may also involve a code injection path (CWE‑94).

Affected Systems

code‑projects Employee Management System 1.0 is affected. No additional versions are listed, and the exact function name is not disclosed, but the flaw resides in the applyleave.php component.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited remotely by submitting a crafted ID parameter in a URL or form submission, and the exploit has been publicly disclosed.

Generated by OpenCVE AI on May 25, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a version of Employee Management System that sanitizes and properly encodes all user‑supplied input in applyleave.php
  • Sanitize and validate every occurrence of the ID parameter on the server side, ensuring it contains only expected data types and ranges
  • Implement output encoding (e.g., HTML entity encoding) for any data derived from user input before rendering it to the page
  • If a patch is not immediately available, deploy a web application firewall rule that blocks suspicious or non‑numeric ID values and logs potential XSS attempts
  • Monitor application access logs for repeated attempts to inject scripts or for unusual patterns in the ID query string

Generated by OpenCVE AI on May 25, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title code-projects Employee Management System applyleave.php cross site scripting
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T10:00:13.514Z

Reserved: 2026-05-24T07:49:10.964Z

Link: CVE-2026-9448

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:00:14Z

Weaknesses