Cyber Posture

CVE-2026-26700

CriticalPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26700 is a critical-severity SQL Injection (CWE-89) vulnerability in Jon-Remus-Sevellejo Personnel Property Equipment System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by enforcing input validation mechanisms at entry points like the vulnerable edit_employee.php script.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of the specific SQL injection flaw in the application.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables vulnerability scanning to identify SQL injection flaws like CVE-2026-26700 for timely remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in unauthenticated web app endpoint (/edit_employee.php) directly enables remote exploitation of a public-facing application (T1190) with full read/write/delete impact on backend data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_employee.php.

Deeper analysisAI

CVE-2026-26700, published on 2026-03-02, is a critical SQL injection vulnerability (CWE-89) in the sourcecodester Personnel Property Equipment System v1.0. The flaw resides in the /ppes/admin/edit_employee.php component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), which reflects its high severity due to the potential for severe impacts across confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables high-impact outcomes, including unauthorized access to sensitive data (C:H), modification of database contents (I:H), and disruption of system availability (A:H), such as extracting, altering, or deleting employee records and other personnel property equipment data.

Mitigation details are outlined in the referenced advisory at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/SQL-1.md. No vendor patches or additional remediation steps are specified in the CVE record.

Details

CWE(s)
CWE-89

Affected Products

jon-remus-sevellejo
personnel property equipment system
1.0

CVEs Like This One

CVE-2026-26701Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26702Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26703Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-26699Same product: Jon-Remus-Sevellejo Personnel Property Equipment System
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89
CVE-2025-26875Shared CWE-89
CVE-2026-26263Shared CWE-89

References