Cyber Resilience

CVE-2026-26700

CriticalPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26700 is a critical-severity SQL Injection (CWE-89) vulnerability in Jon-Remus-Sevellejo Personnel Property Equipment System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26700, published on 2026-03-02, is a critical SQL injection vulnerability (CWE-89) in the sourcecodester Personnel Property Equipment System v1.0. The flaw resides in the /ppes/admin/edit_employee.php component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), which reflects its high severity due to the potential for severe impacts across confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables high-impact outcomes, including unauthorized access to sensitive data (C:H), modification of database contents (I:H), and disruption of system availability (A:H), such as extracting, altering, or deleting employee records and other personnel property equipment data.

Mitigation details are outlined in the referenced advisory at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/SQL-1.md. No vendor patches or additional remediation steps are specified in the CVE record.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_employee.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated web app endpoint (/edit_employee.php) directly enables remote exploitation of a public-facing application (T1190) with full read/write/delete impact on backend data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26702Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26701Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26703Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26699Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89

Affected Assets

jon-remus-sevellejo
personnel property equipment system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by enforcing input validation mechanisms at entry points like the vulnerable edit_employee.php script.

prevent

Requires identification, reporting, and correction of the specific SQL injection flaw in the application.

detect

Enables vulnerability scanning to identify SQL injection flaws like CVE-2026-26700 for timely remediation.

References