CVE-2026-37347: SQL Injection in SourceCodester Payroll Management System

CVE-2026-37347: SQL Injection in Payroll Management and Information System

A critical SQL injection vulnerability designated CVE-2026-37347 has been disclosed in SourceCodester Payroll Management and Information System v1.0, a PHP-based application used by small organizations to manage employee payroll records, salary disbursements, and HR data. The vulnerability is located in the employee view endpoint and allows remote attackers to execute arbitrary SQL commands and extract sensitive payroll and personnel data.

The flaw carries a CVSS v3.1 score of 9.1 (Critical) under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands (SQL Injection).

Vulnerability Overview

Technical Details

Affected Component

The vulnerability exists in the employee detail view page at /payroll/view_employee.php. This endpoint renders an individual employee's payroll profile — including salary, deductions, and employment details — and passes the employee identifier parameter into a SQL query without sanitization.

Exploitation Mechanism

An attacker can inject SQL commands through the employee ID parameter to read data beyond the intended scope:

GET /payroll/view_employee.php?id=1' UNION SELECT NULL,name,salary,bank_account,NULL FROM employees-- HTTP/1.1
Host: target.example.com

Successful exploitation enables:

• Salary and compensation data theft — exact salary figures, bonuses, and deduction records for all employees
• Employee PII extraction — names, addresses, national IDs, bank account numbers
• Administrative credential compromise — dumping admin account hashes from the users table
• Full database enumeration — reading all tables including payroll history and HR notes
• Regulatory violation — unauthorized access to payroll data triggers data protection obligations in most jurisdictions

Payroll Data Sensitivity

Payroll systems represent some of the highest-sensitivity targets in a small business environment. Unlike general application databases, payroll systems by design contain:

• Exact compensation figures — salary, hourly rates, overtime
• Bank account numbers — required for direct deposit processing
• Tax identification numbers — SSN, SIN, or national ID equivalents
• Employment history — hire dates, termination records, performance notes

A single SQL injection against a payroll endpoint can yield a complete compensation and banking dataset for an entire organization.

Attack Flow

1. Attacker identifies a publicly accessible SourceCodester Payroll Management deployment

2. Attacker sends crafted request to /payroll/view_employee.php with SQL payload in id parameter

3. PHP interpolates attacker payload directly into database query — no binding or escaping applied

4. Database returns payroll records including salaries, bank accounts, and employee PII

5. Attacker exfiltrates full employee compensation dataset

6. With admin credentials from the dump, attacker gains full application control and may modify payroll records

Broader Impact: Payroll Data Exposure

The exposure of payroll data carries cascading consequences:

• Financial fraud — bank account numbers enable fraudulent transfers or account takeover
• Identity theft — national IDs and tax numbers enable identity fraud
• Corporate espionage — compensation data reveals organizational structure and hiring priorities
• Regulatory penalties — GDPR, PIPEDA, and similar regulations impose significant fines for unauthorized payroll data exposure
• Employee trust damage — disclosure of salary data has serious internal cultural and legal implications

Remediation

No patch has been released. Organizations running SourceCodester Payroll Management System should act immediately:

Immediate Mitigations

1. Restrict access — ensure /payroll/ is not publicly internet-accessible; require VPN or IP allowlisting
2. Require authentication — gate all payroll views behind a valid authenticated session check
3. Monitor access logs — alert on anomalous query patterns or unusual access to view_employee.php

Code-Level Fix

// Vulnerable pattern
$employee_id = $_GET['id'];
$sql = "SELECT * FROM employees WHERE id = '$employee_id'";
$result = mysqli_query($conn, $sql);
 
// Secure pattern
$stmt = $conn->prepare("SELECT * FROM employees WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();

Database Hardening

Limit the database user's permissions to only what is needed:

-- Restrict the web app DB user to SELECT only on needed tables
REVOKE ALL PRIVILEGES ON payroll_db.* FROM 'webapp_user'@'localhost';
GRANT SELECT ON payroll_db.employees TO 'webapp_user'@'localhost';
GRANT SELECT, INSERT, UPDATE ON payroll_db.payroll_records TO 'webapp_user'@'localhost';

Impact Assessment

Key Takeaways

1. CVE-2026-37347 is a CVSS 9.1 Critical SQL injection in SourceCodester Payroll Management and Information System 1.0, affecting /payroll/view_employee.php
2. Payroll systems contain among the most sensitive data classes — salary, banking, and national IDs — making this a high-impact target even for opportunistic attackers
3. No patch is available — immediately restrict internet access to the payroll application and apply parameterized queries
4. This CVE is part of a coordinated batch of SourceCodester disclosures alongside CVE-2026-37338 and CVE-2026-37345, indicating a systemic lack of input validation across the SourceCodester product portfolio
5. Organizations should treat any SourceCodester PHP application as high-risk until a comprehensive security audit has been conducted

Sources

• CVE-2026-37347 — NIST NVD

Related Reading

• CVE-2026-37338: SQL Injection in Simple Music Cloud Community System
• CVE-2026-37345: SQL Injection in Vehicle Parking Management System
• CVE-2026-3740: SQL Injection in University Management System