SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: SourceCodester Payroll Management and Information System v1.0 and CodeAstro Simple Attendance Management System v1.0. The SourceCodester issue, tracked as CVE-2026-37347, affects /payroll/view_employee.php and is classified as CWE-89; its CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity.
The CodeAstro flaw, CVE-2026-37749, is also a CWE-89 SQL injection bug and affects index.php, where the username parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-37749 updated with CVSS score and references
Also on 2026-04-17, the CVE-2026-37749 entry was updated with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, classified as CWE-89, and linked to the CodeAstro product page and a GitHub reference.
CVE-2026-37749 disclosed for CodeAstro attendance system SQL injection
On 2026-04-17, CVE-2026-37749 was published for a SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0. The flaw in index.php allows remote, unauthenticated attackers to bypass authentication via the username parameter.
CVE-2026-37347 updated with CVSS details and GitHub reference
On 2026-04-16, the CVE-2026-37347 record was updated to include a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N and a GitHub reference documenting the issue. The scoring indicates remote exploitation with no privileges required and high confidentiality and integrity impact.
MITRE receives CVE-2026-37347 for SourceCodester payroll SQL injection
MITRE received CVE-2026-37347 on 2026-04-16 for a SQL injection vulnerability in SourceCodester Payroll Management and Information System v1.0. The flaw affects /payroll/view_employee.php and was classified as CWE-89.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-37749 - CodeAstro Simple Attendance Management System SQL Injection
cvefeed.io
Open sourceCVE-2026-37347 - SourceCodester Payroll Management and Information System SQL Injection Vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of `/projects/hospital/admin/complaints.php` (CVE-2025-41004), the 'keyword' parameter of `/memsdemo/exchange_offers.php` (CVE-2025-41005), and the 'phone' parameter of `/memsdemo/login.php` (CVE-2025-41006`). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in `/projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available. The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
Mar 21, 2026
SQL Injection Flaws Expose AVideo Data and Enable OpenSTAManager RCE
Two newly disclosed SQL injection vulnerabilities affect **WWBN AVideo Live Schedule Reminder** and the **OpenSTAManager Aggiornamenti** module, exposing organizations to severe database compromise. `CVE-2026-33651` is a blind SQL injection issue in AVideo rated **CVSS 8.1** that can let attackers exfiltrate the full database, including email addresses, personal information, and password hashes, while also modifying or deleting records through injected `UPDATE` or `DELETE` statements. Repeated time-based exploitation attempts could also degrade service performance by exhausting server connection pools. `CVE-2026-35168` affects OpenSTAManager and allows an authenticated attacker to execute arbitrary SQL with the privileges of the configured database user, undermining confidentiality, integrity, and availability. In MySQL or MariaDB deployments with broad database permissions, the flaw can enable schema changes, stored procedure tampering, and theft of sensitive financial data; where the database account has the `FILE` privilege, attackers can escalate from database access to **remote code execution** on the application server by writing arbitrary files to the host filesystem.
Apr 3, 2026