CVE-2026-37347

Vulnerability

A SQL injection vulnerability exists in SourceCodester Payroll Management and Information System v1.0. The flaw is located in the /payroll/view_employee.php file, where the emp_id parameter is directly concatenated into SQL queries without proper sanitization or parameterization [1]. An authenticated attacker can exploit this to inject arbitrary SQL commands.

Exploitation

To exploit the vulnerability, an attacker must first authenticate with valid credentials (e.g., admin/admin). A crafted GET request to /payroll/view_employee.php?emp_id=-1%27%20union%20select%201,2,database(),4,5,6,7,8,9--+ triggers a UNION-based SQL injection, revealing the database name and potentially other data from the underlying MySQL database [1]. No special network position is required beyond access to the web application.

Impact

Successful exploitation allows an attacker to retrieve sensitive information from the database, such as user credentials, employee details, payroll data, and other confidential records. The attacker may also be able to escalate privileges or further compromise the application depending on database permissions.

Mitigation

As of publication, no official patch has been released by SourceCodester. Users should implement input validation and use prepared statements with parameterized queries to prevent SQL injection. Additionally, limiting database user privileges and applying web application firewall rules can reduce risk.