CVE-2026-37594
SQL Injection in SourceCodester WFH Attendance System Admin Panel
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_employees_work_from_home_attendance_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-37594 is an SQL Injection vulnerability in the Online Employees Work From Home Attendance System v1.0 by Sourcecodester. It exists in the file /wfh_attendance/admin/view_employee.php, specifically in the 'id' GET parameter.
Because the 'id' parameter is not properly sanitized, an attacker can inject malicious SQL code. For example, by using a crafted payload, the attacker can perform a UNION-based SQL injection to retrieve sensitive database information such as the SQLite version.
This vulnerability allows unauthorized data leakage through HTTP GET requests, compromising the confidentiality and integrity of the system.
How can this vulnerability impact me? :
This SQL Injection vulnerability can lead to unauthorized access to sensitive data stored in the database, including potentially confidential employee information.
An attacker exploiting this vulnerability can leak data, compromise system integrity, and potentially escalate further attacks within the system.
Such impacts can result in data breaches, loss of trust, and operational disruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `id` GET parameter in the URL `/wfh_attendance/admin/view_employee.php` for SQL Injection. Specifically, sending crafted payloads that attempt to manipulate the SQL query can reveal if the system is vulnerable.
- Use a URL like `/wfh_attendance/admin/view_employee.php?id=1' union select 1,2,3,4,5,6,7,sqlite_version(),9,10,11,12,13,14,15,16,17--+` to test for UNION-based SQL injection.
- Monitor HTTP GET requests to this endpoint for suspicious payloads or unexpected database responses indicating SQL injection.
- Use web vulnerability scanners or tools like sqlmap targeting the `id` parameter to automate detection.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially the `id` parameter in `/wfh_attendance/admin/view_employee.php`, to prevent SQL injection.
- Implement prepared statements or parameterized queries to safely handle the `id` parameter.
- Restrict access to the vulnerable page by requiring authentication and using strong credentials (default credentials are `admin/admin123`, which should be changed).
- Monitor and block suspicious HTTP requests that contain SQL injection payloads.
- Apply patches or updates from the vendor if available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in the Online Employees Work From Home Attendance System v1.0 allows unauthorized data leakage by exploiting the unsanitized 'id' parameter. This can lead to exposure of sensitive employee information stored in the database.
Such unauthorized access and potential data leakage can compromise the confidentiality and integrity of personal data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, this vulnerability could result in non-compliance with these regulations due to failure to adequately protect sensitive personal information from unauthorized access.