Description
A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw triggered by manipulating the ID argument in the applyleaveprocess.php file. This weakness allows an attacker to inject arbitrary SQL through a remote request, giving unauthorized data read or modification capabilities. The issue is categorized as CWE-74 (Improper Handling of Parameterized Queries) and CWE-89 (SQL Injection).

Affected Systems

The affected product is the code-projects Employee Management System, version 1.0. No other versions or additional functionality details are listed.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS information is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, and the exploit has been publicly released. Attackers can target the system remotely by supplying crafted input to the ID field, potentially achieving unauthorized database access if not mitigated.

Generated by OpenCVE AI on May 25, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor patch or update for Employee Management System 1.0
  • Sanitize and validate the ID parameter before use in SQL queries, preferably using prepared statements or parameterized queries
  • Restrict database user privileges to the minimum necessary operations, eliminating UPDATE/DELETE permissions where possible

Generated by OpenCVE AI on May 25, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Employee Management System applyleaveprocess.php sql injection
First Time appeared Code-projects
Code-projects employee Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:employee_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects employee Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Employee Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T10:45:10.201Z

Reserved: 2026-05-24T07:49:19.061Z

Link: CVE-2026-9451

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T12:30:25Z

Weaknesses