This vulnerability allows remote attackers to perform SQL injection via the emid parameter in the emselectByCode function of the Update_Earn_Leave endpoint in CodeAstro Human Resource Management System 1.0. The injection occurs due to improper sanitization or validation of the emid argument, potentially enabling unauthorized database queries or modifications. The exploit is publicly known, increasing the risk of exploitation. No vendor-provided fix or mitigation guidance is currently documented.

Successful exploitation of this SQL injection vulnerability could allow attackers to execute arbitrary SQL commands on the backend database. This may lead to unauthorized data access, data modification, or disruption of service. Given the medium CVSS score (5.3) and limited privileges required (low attack complexity, no user interaction), the impact is moderate but significant for affected systems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing application-level input validation and parameterized queries as temporary mitigations. Monitoring for unusual database activity may help detect exploitation attempts.