PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47966 Timeclock CVE debrief

CVE-2021-47966 describes an unauthenticated SQL injection issue in the PHP Timeclock 1.04 login flow. The weakness affects the login_userid parameter in login.php and is reported as both time-based and boolean-based blind SQL injection. In practical terms, this can let an attacker infer and extract database contents without logging in, including sensitive employee information and credentials. The supplied source record marks the vulnerability as HIGH severity and notes the NVD status as Deferred.

Vendor
Timeclock
Product
PHP Timeclock
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running PHP Timeclock 1.04, especially any internet-facing deployments or internal timeclock systems that expose login.php. Security teams, application owners, and administrators responsible for employee-facing authentication portals should treat this as a priority if the product is in use.

Technical summary

The supplied record identifies a CWE-89 SQL injection flaw in login.php, specifically in the login_userid parameter. Because the injection is blind, attackers do not need direct query output; they can infer database responses through timing or conditional behavior. The reported impact includes unauthorized extraction of database contents, with examples in the source description mentioning employee names and credentials. The source corpus also references PHP Timeclock 1.04 and an associated advisory and proof-of-concept listing, but this debrief is limited to the defensive implications stated in the record.

Defensive priority

High. The issue is network-reachable, unauthenticated, and affects a login endpoint, which makes it suitable for rapid validation and mitigation. Even though the source record is marked Deferred by NVD, the combination of no authentication required and potential exposure of credentials warrants prompt action.

Recommended defensive actions

  • Inventory whether PHP Timeclock 1.04 is deployed anywhere in your environment, including legacy or internal systems.
  • Review login.php and the login_userid parameter handling for SQL injection exposure.
  • Apply vendor or project remediation if available from the referenced PHP Timeclock distribution or advisory.
  • Restrict exposure of the application to trusted networks until remediation is in place.
  • Rotate any credentials or secrets that may have been stored in or exposed through the affected database.
  • Monitor application and database logs for unusual login.php POST activity and repeated timing-based requests.
  • If the product cannot be patched quickly, isolate or retire the affected instance.

Evidence notes

The source corpus ties this CVE to PHP Timeclock 1.04 through the referenced project pages and advisory links. NVD lists the weakness as CWE-89 and the status as Deferred in the supplied record. The corpus does not provide KEV placement or ransomware association, so those are not asserted here. Vendor attribution is low-confidence in the supplied metadata, so the product is identified from the referenced sources rather than from a confirmed vendor name.

Official resources

This CVE record was published on 2026-05-15 and modified on 2026-05-18 per the supplied timeline. No KEV date was supplied, and the source corpus does not indicate confirmed ransomware use.