CVE-2026-13535

Received Received - Intake

SQL Injection in CodeAstro HR Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description

A flaw has been found in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function GetFileInfo of the file hrsystem/application/models/Employee_model.php of the component View Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-13535

EUVD

EUVD-2026-40032

Affected Vendors & Products

Vendor	Product	Version / Range
codeastro	human_resource_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2026-13535 is a critical SQL Injection vulnerability found in CodeAstro's Human Resource Management System 1.0, specifically in the GetFileInfo function located in hrsystem/application/models/Employee_model.php.

The vulnerability arises because the 'I' GET parameter, which is base64-decoded, is directly embedded into an SQL query without proper sanitization or validation.

This improper handling allows attackers to inject arbitrary SQL commands remotely, potentially compromising the entire database.

The exploit can be performed by sending a malicious payload to the endpoint /hrsystem/employee/view?I=<base64_payload>.

Compliance Impact

The SQL Injection vulnerability in CodeAstro Human Resource Management System allows attackers to perform unauthorized database access, including data exfiltration and modification. Such unauthorized access to sensitive personal and employee data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health information against unauthorized access and breaches.

Failure to remediate this vulnerability could result in non-compliance with these standards due to potential data breaches, unauthorized disclosure, and lack of adequate security controls.

Impact Analysis

This SQL Injection vulnerability can lead to full database compromise.

Attackers can exfiltrate sensitive data stored in the database.
They can modify or delete data, potentially disrupting business operations.
Service disruption or denial of service can occur due to malicious queries.

The vulnerability can be exploited remotely without user interaction.

Detection Guidance

This vulnerability can be detected by testing the endpoint /hrsystem/employee/view with a specially crafted base64-encoded payload in the 'I' GET parameter to check for SQL injection vulnerabilities.

You can use tools like sqlmap or manual curl commands to test for SQL injection by sending requests with malicious payloads and observing the responses.

Example curl command to test the endpoint: curl -v "http://<target>/hrsystem/employee/view?I=<base64_encoded_payload>"
Use sqlmap to automate detection: sqlmap -u "http://<target>/hrsystem/employee/view?I=<base64_encoded_payload>" --batch

Look for signs of boolean-based blind, error-based, or time-based SQL injection responses to confirm the vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements with parameterized queries in the GetFileInfo function to prevent SQL injection.

Enforce strict input validation before decoding the 'I' parameter to ensure only expected data is processed.

Ensure the database user account used by the application has least-privilege permissions to limit potential damage.

Implement proper error handling to avoid leaking database error information to attackers.

If possible, temporarily restrict or monitor access to the vulnerable endpoint until a patch is applied.

Hi! I’m here to help you understand CVE-2026-13535. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in CodeAstro HR Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart