CVE-2026-15676
Deferred Deferred - Pending Action

SQL Injection in Online Job Portal

Vulnerability report for CVE-2026-15676, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: VulDB

Description

A security flaw has been discovered in code-projects Online Job Portal up to 1.0. The impacted element is an unknown function of the file /Admin/DeleteUser.php. Performing a manipulation results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_job_portal to 1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate steps to mitigate this vulnerability include the following actions:

  • Implement session authentication checks in all affected PHP files to ensure only authorized users can access them.
  • Replace direct SQL query concatenation with prepared statements and parameter binding to prevent SQL injection.
  • Validate all input parameters, especially numeric ones, to ensure they conform to expected formats.
  • Apply CSRF tokens to prevent cross-site request forgery attacks.
  • Enforce role-based access control to restrict actions based on user privileges.
  • Minimize database user permissions to limit the impact of any potential SQL injection attacks.
  • Update the Online Job Portal system to the latest version if a patch is available, or apply the suggested fixes manually.
  • Monitor network traffic and logs for any suspicious activity targeting these endpoints.
Executive Summary

CVE-2026-15676 is a security flaw in code-projects Online Job Portal up to version 1.0. It involves SQL injection vulnerabilities combined with missing authorization checks in multiple administrative and employer management PHP files.

  • The affected files include /Admin/DeleteUser.php, /Admin/DeleteNews.php, /Admin/ApprovEmp.php, /Admin/EditUser.php, /Admin/DetailJob.php, and /Employer/DeleteJob.php.
  • These files accept GET parameters directly from unauthenticated users and concatenate them into SQL queries without proper sanitization or validation.
  • This allows remote attackers to perform arbitrary SQL operations, such as deleting administrator accounts, approving employer registrations, deleting news articles or job listings, and extracting sensitive data like job seeker personal information.
  • The vulnerability is exploitable via simple HTTP GET requests without requiring any session-based authentication.
  • The root cause is the absence of session validation, input sanitization, and proper access controls in the affected files.
Impact Analysis

This vulnerability can have severe impacts if you are using the affected Online Job Portal system.

  • Unauthenticated attackers can delete administrator accounts, leading to a complete loss of administrative control over the system.
  • Attackers can approve pending employer registrations without authorization, allowing malicious users to gain access to the system.
  • Sensitive data, such as job seeker personal information (names, emails, resumes), can be extracted or manipulated by attackers.
  • Attackers can delete news articles or job listings, disrupting the normal operation of the portal and causing reputational damage.
  • The entire database can be dumped or manipulated, leading to data breaches and potential compliance violations.
  • Since the exploit is public and can be executed remotely, the risk of exploitation is high.
Compliance Impact

This vulnerability can significantly impact compliance with common standards and regulations.

  • Under GDPR (General Data Protection Regulation), the exposure of job seeker personal data (names, emails, resumes) due to SQL injection could result in a data breach. This may lead to hefty fines, especially if the organization fails to implement adequate security measures to protect personal data.
  • HIPAA (Health Insurance Portability and Accountability Act) may apply if the portal handles health-related job listings or resumes containing medical information. Unauthorized access or manipulation of such data could violate HIPAA's privacy and security rules.
  • Other regulations, such as the PCI DSS (Payment Card Industry Data Security Standard), could be impacted if the portal processes payment information. While this CVE does not explicitly mention payment data, SQL injection vulnerabilities can often lead to broader database compromise.
  • Failure to address this vulnerability may also violate industry-specific standards or contractual obligations requiring secure handling of user data.
  • Organizations using the affected portal must remediate this issue promptly to avoid regulatory penalties and maintain compliance.
Detection Guidance

This vulnerability can be detected by checking for the presence of specific vulnerable files in the Online Job Portal system and testing for SQL injection flaws or missing authorization checks.

  • Identify the vulnerable files: /Admin/DeleteUser.php, /Admin/DeleteNews.php, /Admin/ApprovEmp.php, /Admin/EditUser.php, /Admin/DetailJob.php, and /Employer/DeleteJob.php.
  • Check if these files accept GET parameters directly without proper sanitization or session validation. This can be done by sending HTTP GET requests to these endpoints and observing if they execute without authentication.
  • Use a web vulnerability scanner like OWASP ZAP or Burp Suite to detect SQL injection vulnerabilities in these endpoints.
  • Manually test for SQL injection by appending malicious SQL payloads to the GET parameters in the URLs. For example, accessing a URL like http://[target]/Admin/DeleteUser.php?id=1' OR '1'='1 and observing if it triggers an error or unintended behavior.
  • Check for missing authorization by attempting to access these endpoints without valid session credentials. If the system allows unauthenticated access, it confirms the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart