PatchSiren cyber security CVE debrief
CVE-2026-15478 IceHRM CVE debrief
A SQL injection vulnerability was found in IceHRM up to 35.0.1. The vulnerability affects an unknown function in the EmployeeAttendanceReport.php file of the UserReport Endpoint. The attack can be launched remotely by manipulating the employeeList argument. This could potentially lead to unauthorized access to sensitive data. Administrators and users should be aware of this vulnerability and take necessary precautions to prevent exploitation.
- Vendor
- IceHRM
- Product
- IceHRM
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Administrators and users of IceHRM up to 35.0.1 should be aware of this vulnerability and take necessary precautions to prevent exploitation. This includes updating IceHRM to a version that is not vulnerable, implementing input validation and sanitization for user input, and monitoring for suspicious activity on the UserReport Endpoint.
Technical summary
The vulnerability is caused by a lack of proper input validation in the EmployeeAttendanceReport.php file of the UserReport Endpoint in IceHRM up to 35.0.1. An attacker can exploit this vulnerability by sending a malicious request with a manipulated employeeList argument, potentially leading to unauthorized access to sensitive data. This could allow attackers to extract or modify sensitive employee attendance data. The vulnerability has a CVSS score of 2.1 and a severity of LOW. Administrators and users should be aware of this vulnerability and take necessary precautions to prevent exploitation, including updating IceHRM to a version that is not vulnerable, implementing input validation and sanitization for user input, and monitoring for suspicious activity on the UserReport Endpoint.
Defensive priority
Low
Recommended defensive actions
- Update IceHRM to a version that is not vulnerable
- Implement input validation and sanitization for user input
- Monitor for suspicious activity on the UserReport Endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-12T05:16:08.747Z and has not been modified since then. The NVD entry is currently in the 'Received' state. The vulnerability was found in IceHRM up to 35.0.1. The source details are limited, and defenders should verify the affected scope and severity with the vendor or other reliable sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T05:16:08.747Z and has not been modified since then.