{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37749", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-17T15:23:39.696Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-17T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-17T14:42:42.439Z"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/"}, {"url": "https://github.com/menevarad007/CVE-2026-37749"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T15:22:56.325933Z", "id": "CVE-2026-37749", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T15:23:39.696Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-37749", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T15:22:56.325933Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T15:19:03.375Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/"}, {"url": "https://github.com/menevarad007/CVE-2026-37749"}], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-17T14:42:42.439Z"}}}, "cveMetadata": {"cveId": "CVE-2026-37749", "state": "PUBLISHED", "dateUpdated": "2026-04-17T15:23:39.696Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-17T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php."}], "id": "CVE-2026-37749", "lastModified": "2026-04-17T16:17:07.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-17T15:16:51.763", "references": [{"source": "cve@mitre.org", "url": "https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/"}, {"source": "cve@mitre.org", "url": "https://github.com/menevarad007/CVE-2026-37749"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}]}, "product": "simple_attendance_management_system", "vendor": "codeastro"}], "analysis": {"en": {"generated_at": "2026-04-18T09:24:31.225727+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011supplied update that removes the insecure handling of the username field.", "Replace the raw SQL construction in index.php with parameterized queries or prepared statements to eliminate injection risk.", "Enforce additional controls such as IP whitelisting or two\u2011factor authentication for the login endpoint to reduce the likelihood of successful exploitation."], "summary": {"action": "Patch now", "impact": "remote authentication bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CodeAstro Simple Attendance Management System, specifically version 1.0. No other product versions or vendors are listed in the available data.", "description_and_impact": "A SQL injection flaw exists in the username input of the index.php page of the CodeAstro Simple Attendance Management System. The attacker can supply crafted input that modifies the underlying SQL query, allowing them to bypass the login check and authenticate as any user or gain full application access. This leads to a complete loss of confidentiality, integrity, and availability for the system and the data it manages.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a very high severity, and the lack of an EPSS score prevents precise quantitative assessment of exploitation probability. The remote, unauthenticated nature of the exploit and its ability to grant unrestricted access indicate that the attacker can gain full application control. Because the attack vector requires only a standard HTTP request to the vulnerable script, it can be performed from any external network without requiring local privileges. As the vulnerability is already publicly documented, exploitation could be readily automated by attackers if a patch is not applied promptly."}}}}, "created": "2026-04-17T20:40:16.543631+00:00", "updated": "2026-04-18T09:30:25.690240+00:00", "vendors": ["codeastro", "codeastro$PRODUCT$simple_attendance_management_system"]}