SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: SourceCodester Payroll Management and Information System v1.0 and CodeAstro Simple Attendance Management System v1.0. The SourceCodester issue, tracked as CVE-2026-37347, affects /payroll/view_employee.php and is classified as CWE-89; its CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity.
The CodeAstro flaw, CVE-2026-37749, is also a CWE-89 SQL injection bug and affects index.php, where the username parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Timeline
Apr 17, 2026
CVE-2026-37749 updated with CVSS score and references
Also on 2026-04-17, the CVE-2026-37749 entry was updated with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, classified as CWE-89, and linked to the CodeAstro product page and a GitHub reference.
Apr 17, 2026
CVE-2026-37749 disclosed for CodeAstro attendance system SQL injection
On 2026-04-17, CVE-2026-37749 was published for a SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0. The flaw in index.php allows remote, unauthenticated attackers to bypass authentication via the username parameter.
Apr 16, 2026
CVE-2026-37347 updated with CVSS details and GitHub reference
On 2026-04-16, the CVE-2026-37347 record was updated to include a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N and a GitHub reference documenting the issue. The scoring indicates remote exploitation with no privileges required and high confidentiality and integrity impact.
Apr 16, 2026
MITRE receives CVE-2026-37347 for SourceCodester payroll SQL injection
MITRE received CVE-2026-37347 on 2026-04-16 for a SQL injection vulnerability in SourceCodester Payroll Management and Information System v1.0. The flaw affects /payroll/view_employee.php and was classified as CWE-89.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago
Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of `/projects/hospital/admin/complaints.php` (CVE-2025-41004), the 'keyword' parameter of `/memsdemo/exchange_offers.php` (CVE-2025-41005), and the 'phone' parameter of `/memsdemo/login.php` (CVE-2025-41006`). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in `/projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available. The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
1 months ago
SQL Injection Flaws Expose AVideo Data and Enable OpenSTAManager RCE
Two newly disclosed SQL injection vulnerabilities affect **WWBN AVideo Live Schedule Reminder** and the **OpenSTAManager Aggiornamenti** module, exposing organizations to severe database compromise. `CVE-2026-33651` is a blind SQL injection issue in AVideo rated **CVSS 8.1** that can let attackers exfiltrate the full database, including email addresses, personal information, and password hashes, while also modifying or deleting records through injected `UPDATE` or `DELETE` statements. Repeated time-based exploitation attempts could also degrade service performance by exhausting server connection pools. `CVE-2026-35168` affects OpenSTAManager and allows an authenticated attacker to execute arbitrary SQL with the privileges of the configured database user, undermining confidentiality, integrity, and availability. In MySQL or MariaDB deployments with broad database permissions, the flaw can enable schema changes, stored procedure tampering, and theft of sensitive financial data; where the database account has the `FILE` privilege, attackers can escalate from database access to **remote code execution** on the application server by writing arbitrary files to the host filesystem.
1 months ago