CVE-2026-15478
Received Received - Intake

SQL Injection in IceHRM UserReport Endpoint

Vulnerability report for CVE-2026-15478, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A flaw has been found in IceHRM up to 35.0.1. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
icehrm icehrm to 35.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by testing the UserReport endpoint, specifically the EmployeeAttendanceReport and other report generation modules, for SQL injection via the employeeList argument.

Proof-of-concept attacks include time-based blind and error-based SQL injection techniques, which can be used to confirm the presence of the vulnerability.

Detection commands typically involve sending crafted HTTP requests with malicious payloads in the employeeList parameter to observe SQL injection behavior.

  • Use curl or similar tools to send requests with SQL injection payloads, for example: curl -X POST -d '{"employeeList": "1 OR SLEEP(5)"}' https://your-icehrm-instance/core/src/Reports/User/Reports/EmployeeAttendanceReport.php
  • Observe response delays or error messages indicating SQL injection vulnerability.
Executive Summary

CVE-2026-15478 is an authenticated SQL injection vulnerability found in IceHRM up to version 35.0.1. It affects the UserReport endpoint, specifically the EmployeeAttendanceReport and other report generation modules. The vulnerability occurs because user input, specifically the employeeList argument, is directly embedded into SQL queries without proper validation or sanitization.

An authenticated user, even with basic 'Employee' role access, can exploit this flaw by manipulating the employeeList parameter to execute arbitrary SQL commands. This is possible because the code uses JSON-decoded input directly in SQL IN clauses without casting to integers or using parameterized queries, allowing attackers to perform SQL injection.

Proof-of-concept attacks include time-based blind and error-based SQL injection techniques. The vulnerability allows attackers to access or modify the database if the database user has sufficient privileges.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the IceHRM database. An attacker exploiting this SQL injection flaw can exfiltrate confidential information or modify data, potentially compromising the integrity and confidentiality of employee records and other HR data.

Since the attack can be launched remotely by an authenticated user, even those with limited privileges, it increases the risk of insider threats or compromised accounts being used to escalate access.

The ability to execute arbitrary SQL queries could lead to full database compromise depending on the database user's permissions, resulting in data breaches, data loss, or disruption of HR operations.

Mitigation Strategies

Immediate mitigation involves restricting access to the UserReport endpoint to trusted users only, especially limiting authenticated users with low privileges from accessing report generation modules.

Monitor and block suspicious requests that manipulate the employeeList parameter with unexpected input.

Apply input validation and sanitization by casting user-provided IDs to integers and using parameterized queries with placeholders to prevent SQL injection.

Since the project has not yet responded with a patch, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint.

Compliance Impact

The SQL injection vulnerability in IceHRM (CVE-2026-15478) allows an authenticated user to execute arbitrary SQL queries, potentially leading to full database access, data exfiltration, or modification.

Such unauthorized access and manipulation of sensitive employee data can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health-related information.

Exploitation of this vulnerability could lead to breaches of confidentiality, integrity, and availability of protected data, thereby impacting compliance with these common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15478. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart