Cyber Resilience

CVE-2026-3751

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3751 is a medium-severity Injection (CWE-74) vulnerability in Oretnom23 Employee Task Management System. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3751 is a SQL injection vulnerability affecting SourceCodester Employee Task Management System 1.0. The issue resides in an unknown function within the file /daily-attendance-report.php of the GET Parameter Handler component, where manipulation of the "Date" argument triggers the injection. Published on 2026-03-08, it is associated with CWEs-74 and CWE-89.

The vulnerability enables remote exploitation with low attack complexity but requires high privileges (PR:H) from the attacker, with no user interaction needed. Per its CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), successful attacks can result in low-level impacts to confidentiality, integrity, and availability.

VulDB advisories (ctiid.349729, id.349729, submit.768034) document the issue, while a public proof-of-concept exploit is available on GitHub at Web-Security-PoCs/Employee-Task-Management-System/SQLi-DailyAttendanceReport-date.md. The vendor site is www.sourcecodester.com.

The exploit is public and may be used, increasing the risk for unpatched instances.

EU & UK References

Vulnerability details

A vulnerability was detected in SourceCodester Employee Task Management System 1.0. Impacted is an unknown function of the file /daily-attendance-report.php of the component GET Parameter Handler. The manipulation of the argument Date results in sql injection. The attack may be…

more

performed from remote. The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in a remotely accessible web app (daily-attendance-report.php GET parameter) directly enables exploitation of the application for initial access (T1190) and unauthorized queries against the backend database (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3752Same product: Oretnom23 Employee Task Management System
CVE-2025-2387Same vendor: Oretnom23
CVE-2025-3018Same vendor: Oretnom23
CVE-2025-2655Same vendor: Oretnom23
CVE-2025-2654Same vendor: Oretnom23
CVE-2025-2846Same vendor: Oretnom23
CVE-2026-3746Same vendor: Oretnom23
CVE-2026-26708Same vendor: Oretnom23
CVE-2026-2848Same vendor: Oretnom23
CVE-2025-0173Same vendor: Oretnom23

Affected Assets

oretnom23
employee task management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the untrusted "Date" GET parameter to block SQL injection payloads in daily-attendance-report.php.

prevent

Limits the high-privilege accounts that can reach the vulnerable endpoint, reducing the population able to trigger the injection.

prevent

Mandates timely application of patches or code fixes to eliminate the SQL injection flaw once the public exploit is known.

References