{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5210", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-31T10:18:25.536Z", "datePublished": "2026-03-31T18:30:14.803Z", "dateUpdated": "2026-03-31T18:30:14.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T18:30:14.803Z"}, "title": "SourceCodester Leave Application System file inclusion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "File Inclusion"}]}], "affected": [{"vendor": "SourceCodester", "product": "Leave Application System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-31T12:23:33.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Hemant Raj Bhati (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354346", "name": "VDB-354346 | SourceCodester Leave Application System file inclusion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354346/cti", "name": "VDB-354346 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780419", "name": "Submit #780419 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Local File Inclusion", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used."}], "id": "CVE-2026-5210", "lastModified": "2026-03-31T19:16:29.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T19:16:29.597", "references": [{"source": "cna@vuldb.com", "url": "https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780419"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354346"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354346/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "leave_application_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-31T19:20:21.978508+00:00", "value": {"mitigation_remediation": ["Check the vendor website or support channels for an official patch or an updated version of the Leave Application System.", "If a patch is available, apply it immediately to version 1.0.", "As a temporary measure, restrict access to the application or the \"page\" parameter using firewall or access control rules, limiting exposure to trusted IP addresses.", "Consider deploying a web application firewall to block suspicious inclusion attempts or paths that are not part of normal application usage."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The only documented affected product is SourceCodester Leave Application System version 1.0. No other versions or additional products are identified.", "description_and_impact": "A Local File Inclusion vulnerability exists in SourceCodester Leave Application System 1.0. By manipulating the \"page\" argument, an attacker can force the application to include arbitrary files, potentially leading to execution of malicious code on the server. The description explicitly notes that remote exploitation is possible and the exploit is publicly available, indicating that an unauthenticated attacker can trigger the vulnerability from outside the application.", "risk_and_exploitability": "The CVSS score of 6.9 reflects moderate to high severity. Although an EPSS score is not available and the vulnerability is not listed in the KEV catalog, the public availability of the exploit and the potential for remote code execution make it a high priority risk. Based on the description, the likely attack vector is an unauthenticated HTTP request manipulating a GET or POST parameter; the exploitation requires the application to resolve the file path on the server, implying the vulnerability could be triggered by remote hosts."}}}}, "created": "2026-03-31T19:53:34.384914+00:00", "updated": "2026-03-31T20:37:27.749241+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$leave_application_system"]}