CVE-2026-13525
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.
Risk Assessment
The organization is at risk of unauthorized database access, leakage of sensitive employee personal data, and potential data modification or deletion.
Recommendation
Immediately apply a vendor patch or temporarily disable the Update_Earn_Leave endpoint. If no update is available, implement input validation and use parameterized SQL queries.
Original NVD description (English source)
A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee_model.php of the component Update_Earn_Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

