{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37346", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T15:44:44.805Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T15:02:30.527Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/payroll-management-and-information-system/SQL-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T15:44:39.105543Z", "id": "CVE-2026-37346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:44:44.805Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37346", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T15:44:44.805Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T15:02:30.527Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/payroll-management-and-information-system/SQL-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-37346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T15:44:39.105543Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:43:52.038Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=."}], "id": "CVE-2026-37346", "lastModified": "2026-04-16T16:16:17.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T15:17:37.560", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/payroll-management-and-information-system/SQL-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "payroll_management_and_information_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-17T04:56:40.073277+00:00", "value": {"mitigation_remediation": ["Sanitize user input and use parameterized queries for the emp_id value in /payroll/view_account.php", "Restrict the database account used by the application to the minimum privileges required, eliminating unnecessary write permissions", "Validate the format and length of emp_id before executing any database operation"], "summary": {"action": "Immediate Patch", "impact": "SQL Injection allowing unauthorized data access and potential modification"}, "threat_synthesis": {"affected_systems": "The only documented affected product is SourceCodester Payroll Management and Information System version 1.0. No specific vendor or additional product versions are listed. A system running this application and exposing the /payroll/view_account.php page is directly impacted.", "description_and_impact": "The vulnerability resides in the SourceCodester Payroll Management and Information System v1.0, specifically in the /payroll/view_account.php endpoint. The script accepts an employee ID through an HTTP GET parameter without proper input validation or sanitization, enabling an attacker to inject arbitrary SQL commands. This flaw can lead to the disclosure of sensitive payroll data and potentially the alteration or deletion of records, compromising the confidentiality and integrity of the system.", "risk_and_exploitability": "Because the vulnerability is exploitable via a standard web request, the attack vector is likely remote, requiring only the ability to send crafted URLs to the target server. The CVSS score is 4.7, reflecting a moderate risk that still allows an attacker to read and potentially modify sensitive payroll data if exploited. The vulnerability is not currently cataloged in CISA's KEV, but the absence of a patch or mitigation advice does not diminish its severity."}}}}, "created": "2026-04-16T18:58:41.275474+00:00", "title": "SQL Injection in /payroll/view_account.php of SourceCodester Payroll Management System v1.0", "updated": "2026-04-17T05:00:05.512908+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$payroll_management_and_information_system"]}