CVE-2026-5326 PUBLISHED

A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.

• Hemant Raj Bhati (VulDB User) reporter

• VDB-354657 | SourceCodester Leave Application System User Information index.php authorization
• VDB-354657 | CTI Indicators (IOB, IOC, IOA)
• Submit #780773 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Improper Authorization
• https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea
• https://www.sourcecodester.com/

• Authorization Bypass CWE
• Improper Authorization CWE