PatchSiren cyber security CVE debrief
CVE-2026-9451 code-projects CVE debrief
A SQL injection vulnerability exists in code-projects Employee Management System 1.0, specifically in the /process/applyleaveprocess.php file. The vulnerability stems from improper sanitization of the 'ID' parameter, allowing remote attackers to inject malicious SQL commands. The CVSS 4.0 score of 2.1 (LOW severity) reflects limited privileges required and low impact on confidentiality, integrity, and availability. The vulnerability was published on May 25, 2026, with a modification on May 26, 2026. Public exploit availability increases risk, though the low severity score suggests constrained attack impact. The vendor attribution remains uncertain with low confidence, flagged for review. No known exploitation in ransomware campaigns or KEV listing exists.
- Vendor
- code-projects
- Product
- Employee Management System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations operating code-projects Employee Management System 1.0; security teams managing legacy PHP applications; database administrators responsible for application-layer security; incident response teams tracking public exploit availability
Technical summary
The vulnerability resides in /process/applyleaveprocess.php where the 'ID' parameter is processed without adequate input validation or parameterization, enabling SQL injection attacks. The attack surface is network-accessible with low complexity requirements. The CVSS 4.0 scoring (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P) indicates remote exploitation possible with low privileges, yielding limited impact across security dimensions. The exploit has been publicly disclosed, increasing accessibility for threat actors.
Defensive priority
LOW
Recommended defensive actions
- Review and restrict network access to Employee Management System 1.0 instances, particularly /process/applyleaveprocess.php
- Implement parameterized queries or prepared statements for all database interactions in PHP applications
- Apply input validation and sanitization for the 'ID' parameter in applyleaveprocess.php
- Monitor database query logs for anomalous SQL patterns indicating injection attempts
- Consider Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the identified endpoint
- Evaluate migration to actively maintained employee management solutions given uncertain vendor support status
Evidence notes
Vulnerability identified through VulDB submission (ID 813707) and assigned CVE-2026-9451. Technical details reference CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection). CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and no user interaction. Exploit existence marked as 'Proof-of-Concept' in source data. Vendor identification derived from reference domain candidate 'Code Projects' with low confidence due to lack of canonical vendor verification.
Official resources
Public disclosure occurred on May 25, 2026, with exploit availability confirmed. The vulnerability affects an open-source employee management application with unknown maintenance status.