CVE-2026-7118

Vulnerability

Analysis

An undocumented SQL injection vulnerability exists in the cancel.php file of the code-projects Employee Management System 1.0. The id and token GET parameters are directly concatenated into an SQL UPDATE statement without any sanitization or parameterization [1]. This allows an attacker to inject arbitrary SQL commands by manipulating either parameter [1].

Exploitation

The attack is remotely exploitable without authentication, as the vulnerable endpoint /cancel.php accepts GET requests and uses the user-supplied id and token values directly in a query: UPDATE employee_leave SET status='Cancelled' WHERE id=$id and token = $token [1]. A proof of concept demonstrates a time-based blind SQL injection payload that causes a 10-second delay via SLEEP(10), confirming the vulnerability [1]. An attacker with knowledge of the application's database structure could use this to infer data or modify records.

Impact

Successful exploitation could allow an attacker to manipulate leave-request statuses (e.g., unauthorized cancellation), infer sensitive database information through blind SQL injection techniques, or degrade availability by triggering expensive database operations [1]. The direct impact depends on the database user's permissions, but the unauthenticated remote access vector increases the risk.

Mitigation

As of the publication date, no official patch has been released for this vulnerability in version 1.0. The vendor, code-projects, has been notified via the public disclosure. Users should apply input validation and parameterized queries to the cancel.php script as a workaround until an update is provided [1][2].