CVE-2026-15478

Source
https://cve.org/CVERecord?id=CVE-2026-15478
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15478.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15478
Published
2026-07-12T04:30:07.683Z
Modified
2026-07-16T03:31:16.107228396Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
IceHRM UserReport Endpoint EmployeeAttendanceReport.php sql injection
Details

A flaw has been found in IceHRM up to 35.0.1. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-74",
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15478.json"
}
References

Affected packages

Git / github.com/gamonoid/icehrm

Affected ranges

Type
GIT
Repo
https://github.com/gamonoid/icehrm
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "35.0.0"
        },
        {
            "last_affected": "35.0.0"
        },
        {
            "introduced": "35.0.1"
        },
        {
            "last_affected": "35.0.1"
        }
    ]
}

Affected versions

35.*
35.0.0
35.0.1
v35.*
v35.0.0
v35.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15478.json"