Description
A security flaw has been discovered in code-projects Employee Management System 1.0. Affected is an unknown function of the file /psubmit.php. The manipulation of the argument pid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the /psubmit.php file of the code‑projects Employee Management System 1.0. Manipulating the pid argument allows an attacker to inject arbitrary SQL code. This flaw can be exploited remotely, enabling unauthorized data extraction or modification. The impact is a compromise of confidentiality and integrity of the underlying database, and could allow further lateral movement if the database contains other sensitive information.

Affected Systems

Affected product: code‑projects Employee Management System version 1.0. The specific vulnerable code is the unknown function in /psubmit.php which processes the pid parameter. Any installation using this version and exposing the web interface is potentially susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity scenario. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. However, public exploit code has been released, and attackers can target the system remotely by sending crafted requests to the /psubmit.php endpoint. The risk remains medium, with potential for data compromise if the vulnerability is present and the web service is publicly reachable.

Generated by OpenCVE AI on May 25, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update to version 1.0 or newer that fixes the pid parameter handling in /psubmit.php
  • If no patch exists, modify the code to validate or sanitize the pid input and use parameterized queries to prevent SQL injection
  • Configure web server or firewall rules to restrict direct access to /psubmit.php to trusted IP ranges, limiting the attack surface

Generated by OpenCVE AI on May 25, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Employee Management System 1.0. Affected is an unknown function of the file /psubmit.php. The manipulation of the argument pid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Employee Management System psubmit.php sql injection
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T10:30:09.395Z

Reserved: 2026-05-24T07:49:16.390Z

Link: CVE-2026-9450

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:00:12Z

Weaknesses