Platform
php
Component
leave-application-system
Fixed in
1.0.1
CVE-2026-5326 describes an authorization bypass vulnerability discovered in SourceCodester Leave Application System version 1.0. This flaw allows attackers to manipulate the 'ID' argument within the /index.php?page=manage_user endpoint, potentially granting unauthorized access. The vulnerability is remotely exploitable and a public proof-of-concept exists, indicating a heightened risk. Mitigation involves upgrading to a patched version when available.
The primary impact of CVE-2026-5326 is unauthorized access to user management functionalities within the Leave Application System. An attacker exploiting this vulnerability could potentially create, modify, or delete user accounts, escalate privileges, and gain access to sensitive employee data. Given the availability of a public exploit, the risk of widespread exploitation is significant. The blast radius extends to any organization utilizing the vulnerable version of the Leave Application System, particularly those handling sensitive employee information.
CVE-2026-5326 is publicly known with a readily available proof-of-concept, indicating a high probability of exploitation. The vulnerability was disclosed on 2026-04-02. It is not currently listed on CISA KEV, but the public exploit suggests active scanning and potential exploitation attempts are likely. Organizations should prioritize remediation due to the ease of exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2026-5326 is to upgrade to a patched version of SourceCodester Leave Application System. Since a fixed version is not explicitly mentioned, consider implementing temporary workarounds. These may include restricting access to the /index.php?page=manage_user endpoint to authorized users only, implementing stricter input validation on the 'ID' parameter, and monitoring the application logs for suspicious activity. Implement a Web Application Firewall (WAF) rule to block requests with potentially malicious 'ID' parameters. After applying any mitigation steps, verify their effectiveness by attempting to access user management functionalities with unauthorized credentials.
Update to a patched version or implement appropriate access controls to restrict unauthorized access to user information. Validate and sanitize user inputs to prevent parameter manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5326 is a medium severity authorization bypass vulnerability affecting SourceCodester Leave Application System version 1.0, allowing attackers to bypass access controls via the /index.php?page=manage_user endpoint.
If you are using SourceCodester Leave Application System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of SourceCodester Leave Application System. Until a patch is available, implement temporary workarounds like restricting access and input validation.
Due to the availability of a public exploit, CVE-2026-5326 is likely being actively exploited or targeted by attackers. Prompt remediation is crucial.
Refer to the SourceCodester website or their official communication channels for the latest advisory regarding CVE-2026-5326 and available patches.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.