Code Projects Employee Management System: Nine SQLi and XSS Flaws Disclosed in a Single Batch
Nine SQL injection and cross-site scripting vulnerabilities disclosed for Code Projects Employee Profile Management System 1.0, all with public exploits.
Key findings
- Nine CVEs disclosed together for Code Projects Employee Profile Management System 1.0 on May 25, 2026
- Three SQL injection flaws (CVE-2026-9451, CVE-2026-9450, CVE-2026-9449) rated CVSS 6.3
- Six cross-site scripting flaws (CVE-2026-9448, CVE-2026-9419, CVE-2026-9418, CVE-2026-9417, CVE-2026-9416, CVE-2026-9415) rated CVSS 4.3
- All nine vulnerabilities are remotely exploitable without authentication
- Public exploit code is available for every CVE in the batch
- No official patch from Code Projects as of disclosure date
On May 25, 2026, nine security vulnerabilities were disclosed together for the Code Projects Employee Profile Management System 1.0 (also referred to as Employee Management System 1.0), a PHP-based web application commonly used in small-to-medium business environments. The batch, published across a nine-hour window, comprises three SQL injection (SQLi) flaws and six stored/reflected cross-site scripting (XSS) bugs, all of which have publicly available exploits. While each individual CVE carries a Medium severity rating, the sheer density of injection points across core employee workflows makes this disclosure event significant for administrators still running version 1.0.
SQL Injection Cluster (3 CVEs)
Three of the disclosed vulnerabilities are SQL injection flaws, each rated CVSSv3 6.3 (Medium). CVE-2026-9451 targets the /process/applyleaveprocess.php file via the ID parameter, allowing an unauthenticated remote attacker to inject arbitrary SQL queries through the leave-application processing endpoint. CVE-2026-9450 affects /psubmit.php through the pid argument, compromising the project submission handler. CVE-2026-9449 resides in /changepassemp.php, the employee password-change script, where the same injection pattern applies. Because these three files handle sensitive operations — leave requests, project submissions, and credential changes — successful exploitation could lead to database enumeration, credential theft, or full administrative access to the application backend.
Cross-Site Scripting Cluster (6 CVEs)
The remaining six CVEs are all cross-site scripting vulnerabilities, each rated CVSSv3 4.3 (Medium). CVE-2026-9448 in /applyleave.php and CVE-2026-9419 in /empproject.php both reflect user-controlled input from the ID parameter without sanitization. CVE-2026-9418 revisits /changepassemp.php (the same file affected by the SQLi CVE-2026-9449) but through a different attack vector — the ID parameter is echoed unsanitized, enabling script injection. CVE-2026-9417 in /myprofileup.php and CVE-2026-9416 in /myprofile.php both handle employee profile views and updates, making them prime targets for session hijacking or phishing payloads. Finally, CVE-2026-9415 in /eloginwel.php — the employee login welcome page — rounds out the XSS set. Because these six files span login, profile management, leave requests, and project pages, an attacker who chains an XSS with one of the SQLi flaws could escalate from a reflected script to full database compromise.
Impact and Exploitation Context
All nine CVEs have publicly available exploits — the disclosure notes explicitly state that exploit code has been "released to the public" or "disclosed publicly." This dramatically raises the risk profile for any organization running the Employee Profile Management System 1.0, as attackers can now download and weaponize proof-of-concept code with minimal effort. The vulnerabilities are all remotely exploitable without authentication, meaning no valid user session is required to trigger the injection. No in-the-wild exploitation campaigns have been reported at the time of disclosure, but the public availability of exploits makes active scanning likely in the near term.
Response and Patch Status
As of the disclosure date, Code Projects has not released a patched version addressing any of the nine CVEs. The affected version is explicitly 1.0 across all advisories. Administrators should monitor the Code Projects website for an updated release. In the absence of an official patch, mitigations include deploying a web application firewall (WAF) with rules to block SQL injection and XSS payloads, restricting network access to the application to trusted IP ranges, and auditing database logs for suspicious queries. Given that the application appears to be unmaintained or only sporadically updated, organizations may need to consider replacing the system entirely.
Why This Batch Matters
The simultaneous disclosure of three SQLi and six XSS flaws in a single product version is uncommon — most disclosure events involve one bug class or a mix across multiple versions. Here, the concentration of injection vulnerabilities across nearly every major user-facing script (login, profile, leave, project, password change) means that an attacker needs only one unpatched endpoint to gain a foothold. For small businesses that rely on this free, open-source system, the lack of a vendor response and the public exploit availability create a ticking clock. Administrators should treat version 1.0 as compromised and prioritize either applying virtual patches or migrating to an alternative employee management solution.