A vulnerability was found in IceHRM up to 35.0.1. It has been declared as critical. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection.
This vulnerability is tracked as CVE-2026-15478. The attack can be launched remotely. Moreover, an exploit is present.
The project was informed of the problem early through an issue report but has not responded yet.