CVE-2026-10624: SourceCodester HRM Employee Data Exposure Vulnerability
CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-99
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifiers. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in /detailview.php of SourceCodester HRM 1.0 and is classified as improper control of resource identifiers (CWE-99). An authenticated attacker can craft requests with manipulated 'employeeid' values to retrieve employee records outside their authorized scope. The vulnerability requires valid login credentials but does not demand elevated privileges, and the attack surface is network-accessible. No user interaction is needed beyond the initial request.
Business impact
Unauthorized access to employee records poses confidentiality risks, potentially exposing sensitive personal and employment information. While the CVSS score reflects low to moderate severity, the reputational and compliance consequences—particularly under data protection regulations—may be significant. Organizations face potential notification obligations and increased insider threat vectors if employee data is exfiltrated by legitimate but malicious users.
Affected systems
SourceCodester Human Resource Management version 1.0 is confirmed affected. Organizations should audit their deployment inventory to identify all instances. The vulnerability applies to systems accessible over the network, regardless of internal or external exposure.
Exploitability
The attack is highly practical: it requires only valid login credentials and standard HTTP requests to manipulate the employeeid parameter. No complex exploitation techniques, race conditions, or client-side bypasses are necessary. Public disclosure of exploit code increases the likelihood of opportunistic attacks from both internal and external threat actors with valid credentials.
Remediation
Upgrade SourceCodester HRM to a patched version released after the vulnerability disclosure. Verify patch availability and compatibility with your deployment through the vendor's official advisory. In the interim, implement strong access controls and logging around the /detailview.php endpoint to detect suspicious employeeid parameter values.
Patch guidance
Contact SourceCodester or review their security advisory for confirmed patch versions addressing CVE-2026-10624. Apply patches in a controlled test environment before production rollout. Verify that access controls properly restrict employees to viewing only authorized records post-patch.
Detection guidance
Monitor access logs for /detailview.php requests where the employeeid parameter differs significantly from the authenticated user's own ID or department scope. Implement alerting for sequential or random employeeid parameter values that suggest enumeration attempts. Review user access to sensitive employee fields within your HRM system for anomalies.
Why prioritize this
Although the CVSS score is 4.3 (MEDIUM), the combination of public exploit availability, authenticated attack vector, and direct access to sensitive employee data warrants prompt remediation. Organizations should prioritize patching to reduce insider-threat risk and meet data protection compliance obligations.
Risk score, explained
CVSS 3.1 score of 4.3 reflects the moderate risk profile: network-accessible, requires authentication (lowering severity), and results in confidentiality loss without integrity or availability impact. The presence of disclosed exploits elevates operational risk despite the numerical score.
Frequently asked questions
Do I need administrative credentials to exploit this vulnerability?
No. The CVSS vector indicates PR:L (low privilege required), meaning any authenticated user can exploit it. Standard employee accounts are sufficient to perform the attack.
Is this vulnerability being exploited in the wild?
Public exploit code has been disclosed, which increases the likelihood of active exploitation. However, exploit activity depends on attacker knowledge of your HRM deployment and the number of vulnerable instances exposed.
What data is at risk?
Any employee information accessible through the /detailview.php endpoint is at risk, including personal details, compensation records, and employment history—depending on what your HRM system stores and displays.
Can this vulnerability be exploited without network access?
No. The CVSS vector indicates AV:N (network-accessible), meaning the attack can be performed remotely over standard network channels by any user with valid login credentials.
This analysis is provided for informational purposes and reflects the vulnerability data as of the publication date. Patch availability, exploitation status, and remediation guidance are subject to change. Organizations should verify all patch versions, compatibility, and vendor advisories independently before deployment. SEC.co does not guarantee the accuracy of third-party vendor information or the completeness of affected product lists. Always consult official vendor security advisories and conduct thorough testing in non-production environments before applying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10168MEDIUMImproper Resource Control in OUSL-GROUP-BrinaryBrains Student Management System
- CVE-2026-10299LOWOnline Hospital Management System Resource Identifier Control Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11