PatchSiren cyber security CVE debrief
CVE-2026-9450 code-projects CVE debrief
A SQL injection vulnerability exists in code-projects Employee Management System 1.0, specifically in the /psubmit.php file via the pid parameter. The vulnerability allows remote attackers to manipulate database queries. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed. The vulnerability has been publicly disclosed with exploit availability noted. The affected product appears to be a PHP-based employee management application distributed through code-projects.org.
- Vendor
- code-projects
- Product
- Employee Management System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running code-projects Employee Management System 1.0; security teams monitoring PHP web application vulnerabilities; developers maintaining legacy PHP applications with direct SQL query construction
Technical summary
The vulnerability is a SQL injection (CWE-89) in the pid parameter of /psubmit.php in code-projects Employee Management System 1.0. The attack can be launched remotely with low privileges and no user interaction. The CVSS 4.0 score of 2.1 (LOW) reflects limited confidentiality, integrity, and availability impacts under the assessed metrics. The exploit has been publicly released, increasing the risk of active exploitation.
Defensive priority
medium
Recommended defensive actions
- Review and validate all user-supplied input to the pid parameter in /psubmit.php
- Implement parameterized queries or prepared statements to prevent SQL injection
- Apply input sanitization and output encoding consistent with OWASP guidelines
- Consider web application firewall (WAF) rules to detect and block SQL injection attempts
- Monitor for suspicious database query patterns in application logs
- Contact code-projects.org or review available security patches for the Employee Management System
- If no patch is available, consider restricting access to the affected endpoint or implementing additional access controls
Evidence notes
Vulnerability disclosed through VulDB with public exploit reference. CVE published 2026-05-25, modified 2026-05-26. NVD status currently 'Deferred'. Exploit reference published to GitHub.
Official resources
public