CVE-2026-13535
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the GetFileInfo function of Employee_model.php. Manipulating the ID argument in the view endpoint allows remote attack. The exploit has been published and may be used.
Risk Assessment
An attacker can remotely steal, modify, or delete data from the HR system database, compromising the confidentiality and integrity of employee personal data.
Recommendation
Immediately apply the vendor patch or temporarily disable the view endpoint. Implement parameterized SQL queries and input validation for the ID argument.
Original NVD description (English source)
A flaw has been found in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function GetFileInfo of the file hrsystem/application/models/Employee_model.php of the component View Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

