CVE-2026-15137 in Interview Management Systeminfo

Summary

by MITRE • 07/09/2026

A weakness has been identified in code-projects Interview Management System 1.0. This vulnerability affects unknown code of the file \inc\classes\View.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in code-projects Interview Management System 1.0 represents a critical sql injection flaw that stems from inadequate input validation within the application's backend processing logic. This weakness specifically manifests in the \inc\classes\View.php file where user-supplied ID parameters are directly incorporated into database queries without proper sanitization or parameterization. The vulnerability operates under CWE-89 which classifies sql injection as a condition where an attacker can execute arbitrary sql commands through manipulated input fields, making it one of the most prevalent and dangerous web application security flaws.

The technical implementation of this vulnerability allows remote attackers to manipulate the ID argument passed to the View.php class, enabling them to inject malicious sql payloads that can bypass authentication mechanisms, extract sensitive data from the database, modify or delete records, and potentially gain unauthorized access to the underlying system. The attack vector is particularly concerning because it requires no local access or privileged credentials, as the exploit can be initiated entirely through remote network connections. This characteristic aligns with ATT&CK technique T1190 which describes exploitation of remote services through network-based attacks.

The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise and potential lateral movement within affected networks. Attackers could leverage this weakness to escalate privileges, create backdoors, or establish persistent access points that would allow continued unauthorized access over time. The public availability of exploit code significantly increases the risk surface as it reduces the barrier to entry for malicious actors who may not possess advanced technical skills but can still execute sophisticated attacks using readily available tools.

Mitigation strategies should prioritize immediate patching of the vulnerable application version and implementation of proper input validation mechanisms including parameterized queries, prepared statements, and comprehensive data sanitization routines. Organizations should also deploy web application firewalls to detect and block suspicious sql injection patterns, implement database access controls with least privilege principles, and establish monitoring procedures to detect unauthorized database activities. The vulnerability demonstrates the critical importance of secure coding practices and regular security assessments as outlined in OWASP Top 10 2021 category a03 which emphasizes injection flaws as one of the most significant web application security risks requiring immediate attention and remediation.

Responsible

VulDB

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!