{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37594", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T15:28:50.725Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:01:43.264Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-2.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:28:44.177007Z", "id": "CVE-2026-37594", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:28:50.725Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-37594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:28:44.177007Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:28:15.678Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-2.md"}], "descriptions": [{"lang": "en", "value": "SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:01:43.264Z"}}}, "cveMetadata": {"cveId": "CVE-2026-37594", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:28:50.725Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php."}], "id": "CVE-2026-37594", "lastModified": "2026-04-14T16:16:41.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T15:16:33.273", "references": [{"source": "cve@mitre.org", "url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-2.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "online_employees_work_from_home_attendance_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T15:25:59.029340+00:00", "value": {"mitigation_remediation": ["Apply any vendor-published patch for SourceCodester Online Employees Work From Home Attendance System v1.0; if no patch exists, upgrade to the latest stable release.", "Modify /wfh_attendance/admin/view_employee.php to use parameterized SQL queries or an ORM that escapes user input to prevent injection attacks.", "Restrict access to the admin interface by enforcing authentication, using IP whitelisting, and enabling multi\u2011factor authentication wherever possible.", "Enable detailed SQL query logging and monitor logs for suspicious activity that could indicate injection attempts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Online Employees Work From Home Attendance System version 1.0, a web\u2011based attendance tracking solution.", "description_and_impact": "The vulnerability is a classic SQL injection that occurs in the /wfh_attendance/admin/view_employee.php file of SourceCodester Online Employees Work From Home Attendance System v1.0 because user input is not properly validated or sanitized. An attacker who can supply crafted input could cause the application to execute unintended SQL commands, potentially allowing unauthorized read, update, or delete operations on the employee attendance database, which would expose sensitive personnel data and disrupt data integrity.", "risk_and_exploitability": "The CVSS score is not available and the EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is the public web interface of the admin page, meaning an attacker could exploit the flaw without needing prior authentication if the admin section is risk of exploitation is therefore high for installations that do not restrict or secure the admin path, potentially leading to unauthorized data disclosure or modification."}}}}, "created": "2026-04-14T16:16:46.281248+00:00", "title": "SQL Injection in Admin View Employee Page of SourceCodester Online Employees Work From Home Attendance System v1.0", "updated": "2026-04-14T16:31:52.562454+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$online_employees_work_from_home_attendance_system"], "weaknesses": ["CWE-89"]}