CVE-2026-12131
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A SQL injection vulnerability has been identified in CodeAstro Human Resource Management System 1.0 within the Payroll Invoice module. The flaw exists in the Invoice function of Payroll.php, where the ID argument is susceptible to manipulation. Remote exploitation is possible, and a public exploit is available.
Risk Assessment
The risk involves the possibility of remote execution of unauthorized SQL queries, potentially leading to data leakage, modification, or deletion within the HR system database.
Recommendation
Immediately update the system to the latest version or apply a security patch. In the meantime, validate and sanitize input for the ID parameter and deploy a Web Application Firewall (WAF).
Original NVD description (English source)
A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

