Description
A vulnerability was identified in code-projects Employee Management System 1.0. This impacts an unknown function of the file /changepassemp.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the change‑password functionality of the Employee Management System enables attackers to craft malicious input that is directly incorporated into SQL statements. This leads to an injection vulnerability that can expose, modify, or delete stored data when exploited. The vulnerability is limited to the SQL layer; the CVE description does not specify whether authentication is required to trigger it, but it is inferred that an unauthenticated request may be able to trigger the flaw.

Affected Systems

The affected product is code‑projects Employee Management System version 1.0, as identified by the vendor’s cpe string and listed in the CVE references.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, but the description notes that the exploit is publicly available and that a remote attacker can initiate it. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely transmit crafted requests to the changepassemp.php endpoint over the network in order to achieve data disclosure or modification.

Generated by OpenCVE AI on May 25, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Employee Management System to the latest release that includes the fix for the SQL injection in changepassemp.php
  • Configure the web server to restrict direct access to the changepassemp.php endpoint, allowing only authenticated administrative users to reach it
  • Implement input validation or use prepared statements in the application code to prevent the injection of untrusted data into SQL queries

Generated by OpenCVE AI on May 25, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in code-projects Employee Management System 1.0. This impacts an unknown function of the file /changepassemp.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title code-projects Employee Management System changepassemp.php sql injection
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T10:15:11.209Z

Reserved: 2026-05-24T07:49:13.726Z

Link: CVE-2026-9449

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:00:14Z

Weaknesses