CVE-2026-37749
Published: 17 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-37749 is a SQL injection vulnerability (CWE-89) affecting CodeAstro Simple Attendance Management System version 1.0. The flaw resides in the username parameter within the index.php file, enabling remote unauthenticated attackers to bypass authentication mechanisms. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts across confidentiality, integrity, and availability.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious SQL payloads into the username field during login attempts, attackers can bypass authentication entirely, potentially gaining unauthorized access to the system and its functionalities.
References include the vendor's product page at https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/ and a GitHub repository at https://github.com/menevarad007/CVE-2026-37749, which likely contains proof-of-concept details, though no specific patch or mitigation guidance is detailed in the CVE publication from April 17, 2026.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web login enables unauthenticated remote exploitation for authentication bypass, directly facilitating T1190: Exploit Public-Facing Application.