CVE-2026-13525

Received Received - Intake

SQL Injection in CodeAstro HR Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description

A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee_model.php of the component Update_Earn_Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-13525

EUVD

EUVD-2026-40022

Affected Vendors & Products

Vendor	Product	Version / Range
codeastro	human_resource_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Detection Guidance

This vulnerability can be detected by testing the /hrsystem/leave/Update_Earn_Leave endpoint for time-based blind SQL injection via the emid POST parameter.

A proof-of-concept involves injecting a payload that causes a delayed server response, such as using the SQL command SLEEP(5) to confirm SQL injection.

An example command using SQLMap to automate detection and exploitation is:

sqlmap -u "http://target/hrsystem/leave/Update_Earn_Leave" --data="emid=1' AND (SELECT 2361 FROM (SELECT(SLEEP(5)))vRnL)-- rMVG" --method=POST

Executive Summary

CVE-2026-13525 is a time-based blind SQL injection vulnerability in the CodeAstro Human Resource Management System 1.0. It affects the emselectByCode() function in the Employee_model.php file, specifically the emid POST parameter in the Update_Earn_Leave endpoint.

The vulnerability arises because user input in the emid parameter is directly concatenated into SQL queries without proper sanitization or parameterization. This allows an authenticated attacker to inject malicious SQL code remotely.

Exploitation can cause delayed server responses, confirming successful SQL injection, and can be automated using tools like SQLMap.

Impact Analysis

This vulnerability can lead to serious impacts including exposure of sensitive data, enumeration of the database structure, extraction of employee information, authentication bypass, and potentially full database compromise depending on the privileges of the exploited user.

Since the attack can be launched remotely by an authenticated user, it increases the risk of unauthorized access and data breaches.

Mitigation Strategies

Immediate mitigation steps include implementing parameterized queries instead of string concatenation to prevent SQL injection.

Enforce strict input validation on the emid parameter to ensure only expected values are accepted.

Apply the principle of least privilege to database accounts used by the application to limit potential damage.

Enable centralized logging and monitoring to detect suspicious activities related to this endpoint.

Consider deploying a Web Application Firewall (WAF) to help block malicious requests targeting this vulnerability.

Compliance Impact

This SQL injection vulnerability in the CodeAstro Human Resource Management System can lead to unauthorized access and extraction of sensitive employee data. Such data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health-related information.

Failure to properly secure the application against SQL injection attacks may lead to breaches of confidentiality, integrity, and availability of sensitive data, potentially resulting in regulatory penalties and reputational damage.

Mitigation measures such as parameterized queries, strict input validation, least privilege database access, logging, monitoring, and deploying Web Application Firewalls are essential to maintain compliance with these standards.

Hi! I’m here to help you understand CVE-2026-13525. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in CodeAstro HR Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart