CVE Catalog

CVE-2026-12131

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A SQL injection vulnerability has been identified in CodeAstro Human Resource Management System 1.0 within the Payroll Invoice module. The flaw exists in the Invoice function of Payroll.php, where the ID argument is susceptible to manipulation. Remote exploitation is possible, and a public exploit is available.

Risk Assessment

The risk involves the possibility of remote execution of unauthorized SQL queries, potentially leading to data leakage, modification, or deletion within the HR system database.

Recommendation

Immediately update the system to the latest version or apply a security patch. In the meantime, validate and sanitize input for the ID parameter and deploy a Web Application Firewall (WAF).

Original NVD description (English source)

A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS