Cyber Resilience

CVE-2026-3752

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3752 is a medium-severity Injection (CWE-74) vulnerability in Oretnom23 Employee Task Management System. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3752 is a SQL injection vulnerability (CWE-74, CWE-89) affecting SourceCodester Employee Task Management System versions up to 1.0. The issue stems from an unknown function in the file /daily-task-report.php within the GET Parameter Handler component, where manipulation of the "Date" GET parameter enables SQL injection. The vulnerability was published on 2026-03-08 and carries a CVSS 3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

Remote attackers with high privileges (PR:H) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited disclosure of information, minor modification of data, and partial denial of service, though the scope remains unchanged.

Advisories detailing the vulnerability are available on VulDB (ctiid.349730, id.349730, submit.768035), with a proof-of-concept exploit published on GitHub at https://github.com/meifukun/Web-Security-PoCs/blob/main/Employee-Task-Management-System/SQLi-DailyTaskReport-date.md. The vendor's website is at https://www.sourcecodester.com/. No specific patch or mitigation details are provided in the referenced sources.

EU & UK References

Vulnerability details

A flaw has been found in SourceCodester Employee Task Management System up to 1.0. The affected element is an unknown function of the file /daily-task-report.php of the component GET Parameter Handler. This manipulation of the argument Date causes sql injection.…

more

It is possible to initiate the attack remotely. The exploit has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in a network-accessible web app directly enables exploitation of public-facing applications (T1190) and subsequent access/manipulation of data in the backend database (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3751Same product: Oretnom23 Employee Task Management System
CVE-2025-2387Same vendor: Oretnom23
CVE-2025-3018Same vendor: Oretnom23
CVE-2025-2655Same vendor: Oretnom23
CVE-2025-2654Same vendor: Oretnom23
CVE-2025-2846Same vendor: Oretnom23
CVE-2026-3746Same vendor: Oretnom23
CVE-2026-26708Same vendor: Oretnom23
CVE-2026-2848Same vendor: Oretnom23
CVE-2025-0173Same vendor: Oretnom23

Affected Assets

oretnom23
employee task management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the untrusted Date GET parameter before it reaches the SQL query in daily-task-report.php.

prevent

Limits the high-privilege accounts (PR:H) that can reach the vulnerable endpoint, reducing the population able to supply malicious input.

detect

Enables monitoring and alerting on anomalous SQL syntax or error patterns originating from the daily-task-report.php Date parameter.

References